[tech] OpenSSL "Heartbleed" Issues

Sam Moore matches at ucc.asn.au
Wed Apr 16 10:09:02 WST 2014


On 15/04/14 09:01, David Adam wrote:
> On Tue, 15 Apr 2014, Sam Moore wrote:
>> A reminder to people that yes you actually do need to update ssl on your
>> VM or collocated machine or bad things can (and did) happen and we will
>> kill it with fire. Or it will kill us. But hopefully the former.
>
> Like what? Can't we just firewall them off?

The mysterious bad things mentioned had nothing to do with Heartbleed 
which is a passive attack. Sorry.

We could just firewall machines but "killing with fire" sounded more 
dramatic.

Also, to give an example: Our https services that back onto LDAP for 
authentication were a case where someone could possibly have got a 
usernname and password that would allow a shell login via ssh.

On 10/04/14 11:44, Sam Moore wrote:
 > We are running an apache2 server, but the pages authenticate via the
 > ldaps server on mussel, which is a different protocol entirely. Does
 > this mean it is not possible for password related memory to have been
 >leaked via apache?

To answer my own question: The web server does have to have the user 
name and password in memory at some point, which means such things could 
be leaked.

There was a vulnerable server on our network. Although it wasn't 
actively doing "bad things", when I scanned this server just once there 
was a user name and password in the leaked memory.

After saying all this, it must be noted that not having 'toor' as your 
root password is probably more important than upgrading openssl.

[SZM]


More information about the tech mailing list