On 04/10/2014 05:17 AM, David Hrbáč wrote: > Dne 9.4.2014 17:27, Johnny Hughes napsal(a): >> It is only things that actually used SSL in memory (like httpd, imaps, >> pop3s, etc) . those certificates COULD have been impacted. openssh was >> not impacted (based on my reading). > What about the user credentials sent over this "insecure" communication > channel. They could be also compromised... > DH Anything in the actual memory of the process can be retrieved in random 64KB chunks, when/if someone uses an exploit against your server on the https or one of the other ports (imaps, pop3s, etc). The exploiter does not get to choose the memory check they get (it is random), so they would need to run the exploit, in a loop, dump the data, and grab the info in chunks. Then they would need to string the data together or grab pieces out of the data. So, yes, older transactions on that process could be seen. So some user names, passwords, credit card numbers, any other traffic someone posted on a connection to the machine could be read in the data that was dumped and saved, including the server's private key as that key is used to decrypt the connection. That is one part of the exploit ... gleaning info from a service that is running in real time. If you are patched now, and if you restarted all services that were running the old version of ssl, then that can no longer be done to your machine. It could have been done as long as someone was exploiting the port in question from the time any from the installation of the 6.5 openssl's were installed until at least version openssl-1.0.1e-16.el6_5.4.0.1.centos.el6 (or openssl-1.0.1e-16.el6_5.7) was installed ... AND all applicable services were restarted. All of the chunks of up to 64KB that someone gathered, they can look back through. ============================== Another potential thing that someone who had access to your network traffic could have done was dump/save that IP traffic, regardless of if it was encrypted or not. They could then use, if they obtained it, the private key for an https server you connected to (one of the things they could have gotten while a server was vulnerable). If someone did get a private key and if they did save encrypted traffic that was on going, then they could at that point decrypt the traffic that they have. Those are the two possible things that could have happened. ============================= In the case of CentOS servers, the time period where that could have occurred is from December 1, 2013 (when openssl-1.0.1e-15.el6 was released in CentOS-6.5) until people using 6.5 upgrade to openssl-1.0.1e-16.el6_5.7 (available on April 8th, 2014). In the case of some other distributions, the possible time frame is from March 2012 until April 2014. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20140410/f083afed/attachment-0005.sig>