[BlueOnyx:15142] Re: OpenSSL (CenOS-6.5/SL-6.5) CVE-2014-0160

[Dogsbody]

On 08/04/14 16:34, Michael Stauber wrote:
> I'm going even one step further. I'll change all my SSH keys as
> well. On each and every box. They could have been leaked.

AFAIK OpenSSH is not affected by the OpenSSL bug. While OpenSSH does use 
OpenSSL for some key-generation functions, it doesn't use the TLS 
protocol or the TLS heartbeat extension.

I could be wrong on this but I've tried every heartbeat attack I can on 
SSH and can't get anything out of it while HTTPS, SMTPS, IMAPS & POP3S 
just *FLOOD* private data.

Certainly nothing wrong with changing keys though.

> I'll get
> new SSL certificates for a couple of the more critical sites. I might be
> paranoid on this, but this time it's probably warranted.

Re-keying SSL certs is a *very* good idea and I'm doing the same for 
myself and all my customers keys.  It's one hell of a pain though.

The other thing I want to point out is session keys.  I'd highly advise 
resetting all session keys and forcing everyone to log back in again.

I captured some data from before we patched some servers which included 
PHPSESSION keys.  (Obviously) even after the server was patched the keys 
were still valid and I could log into accounts that weren't mine using 
these keys.

Due to this issue alone it also means that any site you have logged into 
*since 2011* that is vulnerable to this attack may well have leaked your 
password and/or your session to strangers on the internet.  Now is the 
time to change the password of any site you have logged into that you 
care about.

I bet Apple are feeling smug right now

Dan