[mythtv-users] the heartbleed openssl bug and mythtv

Tue Apr 15 06:25:00 UTC 2014

On Thu, Apr 10, 2014 at 6:40 AM, Stephen Worthington <
stephen_agent at jsw.gen.nz> wrote:

> On Thu, 10 Apr 2014 13:00:48 +0200, you wrote:
>
> >2014-04-10 11:34 GMT+02:00 Mike Perkins <mikep at randomtraveller.org.uk>:
> >
> >> On 10/04/14 03:39, Gary Buhrmaster wrote:
> >>
> >>>
> >>> As far as impact, if one is using a throw-away password
> >>> like "password", and is using it only on their mythweb server,
> >>> the impact is low (the worst someone could do is probably
> >>> delete your recordings, and it is only just TV :-).  On the
> >>> other hand, if it is using the same password as you use
> >>> at your bank, or your secret password to access your
> >>> evil lair, the impact could be higher.  You can mitigate
> >>> against that impact by changing your bank password
> >>> (note: Unless your bank says they have fixed it already,
> >>> you get to do it now, and then again after they have
> >>> applied the patch), and change your password to access
> >>> your secret lair from which you plan to launch the plan of
> >>> world domination.
> >>>
> >>>  Er, no. If they can gain access to your /server/ it makes it at least
> >> possible for them to upload more malware, turning your server into a
> relay
> >> bot, etc.
> >>
> >> Fortunately I don't permit any internet-facing access to my machines,
> >> which is probably just as well. The number of devices I will have to
> update
> >> in the near future is mind-boggling.
> >>
> >> Apart from the usual servers, clients and workstations, one mustn't
> forget
> >> wireless access points, smart phones (when Apple/Samsung gets around to
> >> providing a fix), tablets, ereaders and set-top boxes, all of which
> likely
> >> run some OS which uses SSL!
> >>
> >> --
> >>
> >> Mike Perkins
> >>
> >>
> >> _______________________________________________
> >> mythtv-users mailing list
> >> mythtv-users at mythtv.org
> >> http://www.mythtv.org/mailman/listinfo/mythtv-users
> >> http://wiki.mythtv.org/Mailing_List_etiquette
> >> MythTV Forums: https://forum.mythtv.org
> >>
> >
> >This is not a security discussion group, and I find that this discussion
> >really has gone overboard. You have to upgrade openssl on your server IF
> >you use apache and openssl to deliver any content on your mythtv server
> >(for example mythweb). Changing passwords on the server is also
> recommended
> >(if you are really paranoid, the chance that someone has targeted your
> >mythtv server is slim to none, there are larger fish in the sea).
> >
> >Clients using openssl are not affected by this bugg, so smartphones,
> >tablets, set-top boxes and the like (as long as they are not serving
> >content with openssl, which few are doing), do not need to be upgraded.
> >Openssh is not affected either. Your password and possibly your public key
> >can be compromised, if you are  worried about your password, change it. If
> >you worry about someone getting your public key, then you don't understand
> >how key generation and login work.
> >
> >The main thing is however that your server won't be compromised just
> >because it is internet-facing and used an old version of openssl. Check
> >your server logs to see if there are strange logins, change the password
> >and you are fine!
> >
> >The problem is worse on all of our Internet services. You should really
> >think about changing passwords there. And I can't imagine that there are
> >any sysops that haven't upgraded openssl already....
> >
> >Regards
> >
> >Andréas
>
> Have you ever got it wrong!  The PRIVATE keys can be compromised by
> this bug, not the public keys.  It is impossible to "compromise" a
> public key as they are supposed to be publicly available.  The bug
> allows an attacker access to up to 64 kbytes of memory on each request
> and to keep on requesting 64 kbyte chunks of data.  So they can get
> access to just about anything that is in RAM on the PC.  I am unsure
> if that is limited to just the memory of the program running the SSL
> code, or if more general access is gained.  But anything running SSL
> will have the private keys in RAM so it can do encoding and decoding,
> and they will be accessible via the bug.
>

Yes, the attacker can easily get 64kB of memory on the server.  They can
keep requesting that memory as much as they want.  But, that does not let
them crawl the memory of the server, and it is limited to the memory of the
process using openssl on that port (e.g. Apache).

The point of re-requesting is that the state of that memory is constantly
changing, with all kinds of interesting things like username/passwords,
cookies, and even the rare private key.  The private keys seem to be
compromised most easily at process startup time, but potentially later too.

Most of the time you just end up with parts of web transactions..  cookies,
http request headers, etc.  (There are many PoC python scripts out there,
and it's really easy to point it at a server and see what data is dumped
out).

>
> And also, the client side data is apparently vulnerable too, not just
> the server side.  That may depend on just what software we are talking
> about, but I am not sure.  So at this point, it is better to be safe
> than sorry.  It may just be that if you use a browser to connect to an
> https site, you are opening up your PC to attack.
>
> Please have a good read of this authoritative site:
>
>   http://heartbleed.com
> _______________________________________________
> mythtv-users mailing list
> mythtv-users at mythtv.org
> http://www.mythtv.org/mailman/listinfo/mythtv-users
> http://wiki.mythtv.org/Mailing_List_etiquette
> MythTV Forums: https://forum.mythtv.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.mythtv.org/pipermail/mythtv-users/attachments/20140414/b3d3c1ab/attachment.html>