Re: [Cosign-discuss] Cosign - Service credential exposure from heartbleed OpenSSL vulnerability

Fri, 11 Apr 2014 07:14:45 -0700 

I thought that HeartBleed allowed reading only of up to 64K (unsigned 16
bit length) of heap memory - from wherever in the heap the buffer used was
allocated.  It didn't allow arbitrary process memory exploitation, although
I suppose by manipulating the size of the requests, you ought to be able to
explore different parts of the heap.

Of course, luck would play a part in what was revealed, although luck can
be manipulated.


--- Richard Conto

DNA Sequencing Core
Biomedical Research Core Facilities
Medical School Administration Office of Research
NCRC Bldg 14 room 168 -- (734) 764-7620


On Thu, Apr 10, 2014 at 11:41 PM, Wesley Craig <wescr...@gmail.com> wrote:

> On 10 Apr 2014, at 22:34, Andrew Mortensen <and...@weblogin.org> wrote:
> > Some weblogin environments have elected to allow cosign clients (again,
> I mean mod_cosign and friends) to authenticate with certificates issued by
> public CAs. The protected web servers in these deployments are using these
> same certificates for https. Wes is pointing out that if the private key
> for these https servers was stolen via heartbleed, attackers could ALSO
> authenticate to cosignd as the protected service if the weblogin
> administrators permit client authentication using certificates signed by
> public CAs.
>
> heartbleed allows an unauthenticated attacker to read everything in RAM of
> the attacked process.  Obviously, that includes the certificate that apache
> is using, but it could also include mod_cosign's certificate, the password
> you use to connect to mysql, everything.
>
> :wes
>
> ------------------------------------------------------------------------------
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration
> Continuously Automate Build, Test & Deployment
> Start a new project now. Try Jenkins in the cloud.
> http://p.sf.net/sfu/13600_Cloudbees
> _______________________________________________
> Cosign-discuss mailing list
> Cosign-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/cosign-discuss
>

------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss

Reply via email to