From owner-freebsd-security@FreeBSD.ORG Sat Apr 26 18:59:25 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 88535E33 for ; Sat, 26 Apr 2014 18:59:25 +0000 (UTC) Received: from st11p09mm-asmtp002.mac.com (st11p09mm-asmtp002.mac.com [17.164.24.97]) by mx1.freebsd.org (Postfix) with ESMTP id 4F2D919A2 for ; Sat, 26 Apr 2014 18:59:24 +0000 (UTC) MIME-version: 1.0 Received: from beat.rdnzl.info (dsl-hkibrasgw1-58c380-33.dhcp.inet.fi [88.195.128.33]) by st11p09mm-asmtp002.mac.com (Oracle Communications Messaging Server 7u4-27.08(7.0.4.27.7) 64bit (built Aug 22 2013)) with ESMTPSA id <0N4N000XLJEB3O60@st11p09mm-asmtp002.mac.com> for freebsd-security@freebsd.org; Sat, 26 Apr 2014 18:59:06 +0000 (GMT) Content-type: multipart/signed; boundary="Apple-Mail=_8A01CDAA-012A-44C9-BC9F-71782A8737B1"; protocol="application/pgp-signature"; micalg=pgp-sha1 Subject: Re: am I NOT hacked? From: Kimmo Paasiala In-reply-to: Date: Sat, 26 Apr 2014 21:58:55 +0300 Message-id: References: To: Joe Parsons X-Mailer: Apple Mail (2.1874) X-MANTSH: 1TEIXWV4bG1oaGkdHB0lGUkdDRl5PWBoaHhEKTEMXGx0EGx0YBBIZBBsTEBseGh8 aEQpYTRdLEQptfhcaEQpMWRcbGhsbEQpZSRcRClleF2hjeREKQ04XSxsYGmJCH2lsGEROGXhzB xl7GxIfExxrEQpYXBcZBBoEHQdNSx0SSEkcTAUbHQQbHRgEEhkEGxMQGx4aHxsRCl5ZF2FBS0t 8EQpMRhdsa2sRCkNaFxISBBsTHwQbGBIEGRkRCkJeFxsRCkRYFxgRCkRJFxgRCkJFF2Z9fxNNb 1xgZRoSEQpCThdrRRpSUB5DXFlcaBEKQkwXbk0deVljZGh+GEYRCkJsF2FAfFNsSx8YZHt+EQp CQBdkQ38TW357HFBJexEKcGcXYlBGGkNSUm4ZR2sRCnBoF29hQn5MeV4ZZk96EQpwaBdkXB54b UtfZlgFTxEKcGgXYRNAeVseThxoYAURCnBoF24SGxJ/cFJOElgSEQpwaBdpXEdFThx+AVx4WxE KcH8XbFJyeU5yTXB7TGARCnBfF2AZYmJeQ357GVpNEQpwaxdob0MdRnMbSEdtUhEKcEsXYmlyE 1hdXGdtU3MRCnBrF2gaQUQFGmZeXGJPEQpwbBdtZ24FH2FOYRxbGxEKcEwXbEQTGxh8cEJgZHs R X-CLX-Spam: false X-CLX-Score: 1011 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.96,1.0.14,0.0.0000 definitions=2014-04-26_02:2014-04-25,2014-04-26,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=15 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1404260309 Cc: "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Apr 2014 18:59:25 -0000 --Apple-Mail=_8A01CDAA-012A-44C9-BC9F-71782A8737B1 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 On 26.4.2014, at 21.17, Joe Parsons wrote: > Sorry, one paragraph of my last reply appears to be screwed up on the = web archive. You can ignore that reply and just read the following. = I'm sorry for the confusion. =20 >=20 >=20 > Ok, thanks a lot for all your kind help. I learned the pwd_mkdb = manpage and the databases as you suggested. >=20 > To clarify, I understand 9.1 kernel contains the non-vulnerable = version of openssl library, hence mere apache/https is not vulnerable. = However the vulnerable openssl port is installed for the mail software = to provide imaps/pops/smtps services, so they are vulnerable. >=20 > The following reply is what I'm confused: >=20 >> In any case, heartbleed does *not* facilitate remote code execution = or >> code injection, only information retrieval, so unless your passwords >> were stored in cleartext (or a weakly hashed form) in the memory of = an >> Internet-facing SSL-enabled service (such as https, smtp with = STARTTLS >> or imaps, but not ssh), you cannot have been "hacked" as a = consequence >> of heartbleed. >=20 > I ssh into the system, and I /usr/bin/su to become root. Do my shell = passwords show up in in clear text in the memory briefly, so the = attacker could happen to harvest them? In another word, on a system = with the vulnerable openssl port, do we need to change the shell = password for root and other users, if these passwords are ONLY used in = ssh and /usr/bin/su ? >=20 > I googled and found few result, almost all are focused on changing = user mail passwords and server certificates. Only found this page said = they changed server root password: >=20 > = http://digitalopera.com/geek-rants/what-were-doing-to-combat-heartbleed/ >=20 > Thanks, Joe > =20 You=92re missing a few fundamental properties of a modern operating = system, memory management and memory protection. The sshd or the su = processes might have the passwords in the clear in their own memory for = some time but any other process (for example the web server with the = vulnerable OpenSSL) has no access to that memory because of how virtual = memory works. Every process has its own private memory space and the = process can not address memory owned by other processes. For example, a = process running on i386 can try to address all of the 4GBs that the i386 = instruction set allows it to do but none of the memory that it can read = or write belongs to another process because the OS keeps the those = private address spaces separate from each other using the memory = management hardware on the CPU. -Kimmo --Apple-Mail=_8A01CDAA-012A-44C9-BC9F-71782A8737B1 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJTXAHzAAoJEFvLZC0FWRVpa3cH/34RKCwd8F28n+gvHpH/q+YV k/HD6BW9Qk+dAr3A6wlk57Lty81jxD8U0f9CRCo2DLfJ63s94ZSabwSvKme3tcau G1XQctSGFmzNXydOVR57zDRS9ycQGv9cxaSpCEabGZlmaus2xXoHVIbJbY61430R U1p/BOc1tsY1iSL2+HrZ+wzuboQ9k9IOl9XPxHCntNEFltF/OEwtgKay140tLuxX uDtTzXW5gSq+Lo0RqwAQ3vqE+ZXjLxeZ/IZnYeKIPh8Q8nnepdnY54S5p++Kjkik OHspvWYBno/3u/cvuBKuB13zyHyxsdje4Uc9YBvgfWhdMi0FEr/TmwwXqUXEhto= =L+mB -----END PGP SIGNATURE----- --Apple-Mail=_8A01CDAA-012A-44C9-BC9F-71782A8737B1--