[CentOS] CVE-2014-0160 CentOS 6 openssl heartbleed workaround

Johnny Hughes johnny at centos.org
Wed Apr 9 14:02:25 UTC 2014


On 04/09/2014 07:40 AM, Stephen Harris wrote:
> On Wed, Apr 09, 2014 at 09:36:25AM -0400, James B. Byrne wrote:
>> However, if one was running an affected service, say httpd/ mod_ssl, on a host
>> that had sftp sessions connected to it then would not the ssh private keys of
>> the host and local users be in memory and therefore readable by the exploit? 
> [...]
>
>> state. As I understand the exploit it allows systematic transfer of every byte
>> in memory which would include the unprotected keys would it not?
> I'm pretty sure the exploit can only read the memory of the process and not
> of the kernel; "apache" shouldn't be able to read the memory space of a
> root process.  If it could then we'd have no key security at all, anyway!
> This isn't a privilege escalation attack...
>

According to heartbleed,org, private keys for httpd (or other TLS / SSL
services) are readable.  Though the 64KB bit of memory obtainable is
random, so its not like they can just ask for the private keys or query
a database for someone's password, etc.  They could only get a random
chunk of things active in memory when they make the request.  For what
its worth, CentOS.org is replacing our certificate private keys.  Others
can obviously make their own choices.

Thanks,
Johnny Hughes

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20140409/f25b11d4/attachment.sig>


More information about the CentOS mailing list