Does anyone know what entry point a hacker could have if a sever's OpenSSL has been patched but a site's SSL certs have not yet been rekeyed?
Thanks!
Asked
Active
Viewed 134 times
-4
-
1This question is not a duplicate as it addresses a different aspect of the Heartbleed security: Could an attacker gain access to your server after you patched OpenSSL BUT have not yet re-keyed your SSL certs. – Honey Badger Apr 22 '14 at 00:58
-
Or is an attacker limited to man-in-the-middle attack (i.e. by capturing user creds when they login on the sebsite), but not able to access the server itself? – Honey Badger Apr 22 '14 at 01:15
1 Answers
5
If the remote attacker was able to retrieve you private key before you patched, then they can decrypt all any previous communication that has been performed if you didn't use perfect forward secrecy and perform man-in-the middle attacks. Intercepting and possibly modifying existing communications. They could have also captured credentials needed to remotely access and modify your system, or your user's accounts.
If you are lucky and nobody used this bug to collect your keys or anything else while you were vulnerable, you would theoretically be fine.
-
Thanks for your answer Zoredache. Could you please explain what you mean by "They could have also captured credentials needed to remotely access and modify your system". You mean they could access my server the way one has access using SSH? Or do you mean they could login as admin on a website and have access to only the website files? – Honey Badger Apr 22 '14 at 00:28
-
1Anything that could potentially be in the process memory linking to OpenSSL could have been leaked. This may include your admin credentials, it may include many other things. – Zoredache Apr 22 '14 at 00:35
-
But what if the server's OpenSSL has been patched, but ONLY the SSL cert not rekeyed? Could they still gain access to the server? That's why this question is different to the one quoted as possible duplicate, in that there is only one vulnerability (the old SSL keys, not OpenSSL). – Honey Badger Apr 22 '14 at 00:50
-
**I think you missed the second paragraph of my answer.** The heartbleed bug has existed for over two years. If someone knew about the vulnerability two years ago they could have collected anything and everything in memory. If they were able to get admin credentials or the key for your system before you patched your system, then you are screwed. The secrets have already been lost. Sure nobody can get them now that you are patched, but that may be too late. Patching is only good enough if no secrets were lost before patching. But there are no logs, so how can you know that you are safe? – Zoredache Apr 22 '14 at 01:45
-
Hi @Zoredache, even if a system is compromised, the attacker can only gain access to the HTTPS website but not the physical server itself right? Sorry if this is a noob question... I'm still trying to understand the implications of Heartbleed. For one, I'm not sure when someone says the attacker can access your "system", does it mean the attacker can access the server the way someone uses SSH/FTP or just the website itself (i.e. they did not gain access to the physical files on the server). Thanks for your patience! – Honey Badger Apr 22 '14 at 01:55
-
1@Honey Heartbleed doesn't allow direct access to control the system, it "bleeds" out information contained within the affected system. The attacker doesn't gain access to your system through the bug itself. Rather they are able to read information that could allow them to gain access to your system, or other sensitive information. Anything that's in your server's RAM. That could be credentials, keys, bank account numbers, anything. So, if keys are one thing that gets out then your encryption is toast (for example). – squillman Apr 22 '14 at 02:47
-
Thank you @squillman. "Anything that's in your server's RAM" doesn't include the server's SSH or FTP login creds used by the system admin right? Or does it (shock horror)? – Honey Badger Apr 22 '14 at 03:10
-
2