D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability

 

On 08/04/14 13:45, Martijn Grooten wrote:
> 
> The vulnerability allows anyone to obtain a chunk of memory from a
> vulnerably server. If that server runs OpenSSH and if OpenSSH stores
> passwords, key phrases and/or private keys in memory, it is affected,
> regardless of the dependency between OpenSSL and OpenSSH.

Is it any memory?

I would assume since it is a user space flaw, that it can only leak
memory it can read, which would likely be 64K of its own memory space
(on proper operating systems anyway).

I've seen no commentary either way.

That doesn't help much since the process likely has the key, the
certificate, and other relevant bits in memory, but it would mean that
unrelated processes like OpenSSH keys would be safe (unless someone
shared credentials over TLS which were exposed and abused).



-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq