Home / server / Questions / 587433
Accepted
Flup
Asked: 2014-04-09 03:21:04 +0800 CST

Heartbleed: are services other than HTTPS affected?

  • 772

The OpenSSL 'heartbleed' vulnerability (CVE-2014-0160) affects webservers serving HTTPS. Other services also use OpenSSL. Are these services also vulnerable to heartbleed-like data leakage?

I'm thinking in particular of

  • sshd
  • secure SMTP, IMAP etc -- dovecot, exim & postfix
  • VPN servers -- openvpn and friends

all of which, on my systems at least, are linked to the OpenSSL libraries.

security

6 Answers

  1. Best Answer

    Any service that uses OpenSSL for its TLS implementation is potentially vulnerable; this is a weakness in the underlying cyrptography library, not in how it's presented via a web server or email server package. You should consider all linked services vulnerable to data leakage at least.

    As I'm sure you're aware, it's quite possible to chain attacks together. Even in the simplest attacks it's perfectly possible to, for example, use Heartbleed to compromise SSL, read webmail credentials, use webmail credentials to gain access to other systems with a quick "Dear helpdesk, can you give me a new password for $foo, love CEO".

    There's more information and links in The Heartbleed Bug, and in another question maintained by a Server Fault regular, Heartbleed: What is it and what are options to mitigate it?.

    • 40

  2. It seems your ssh-keys are safe:

    It's worth pointing out that OpenSSH is not affected by the OpenSSL bug. While OpenSSH does use openssl for some key-generation functions, it does not use the TLS protocol (and in particular the TLS heartbeat extension that heartbleed attacks). So there is no need to worry about SSH being compromised, though it is still a good idea to update openssl to 1.0.1g or 1.0.2-beta2 (but you don't have to worry about replacing SSH keypairs). – dr jimbob 6 hours ago

    See: https://security.stackexchange.com/questions/55076/what-should-one-do-about-the-heartbleed-openssl-exploit

    • 35

  3. In addition to the answer of @RobM, and since you ask about SMTP specifically: there already is a PoC for exploiting the bug on SMTP: https://gist.github.com/takeshixx/10107280

    • 4

  4. Yes those services can be compromised if they rely on OpenSSL

    OpenSSL is used to protect for example email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software.

    For a more detailed write up on the vulnerabilities, affected operating systems etc. you can checkout http://heartbleed.com/

    • 3

  5. Anything that links with libssl.so may be affected. You should restart any service that links with OpenSSL after you have upgraded.

    # lsof +c 0 | grep -w DEL | awk '1 { print $1 ": " $NF }' | grep libssl | sort -u
bacula-fd: /usr/lib/libssl.so.1.0.0
php-fpm: /usr/lib/libssl.so.1.0.0
php-fpm: /usr/lib/php/modules/openssl.so
python2: /usr/lib/libssl.so.1.0.0
python2: /usr/lib/python2.7/lib-dynload/_ssl.so
python: /usr/lib/libssl.so.1.0.0
ruby-timer-thr: /usr/lib/libssl.so.1.0.0
ruby: /usr/lib/libssl.so.1.0.0

    Courtesy of Anatol Pomozov from Arch Linux mailing list.

    • 3

  6. Other services are affected by this.

    For anyone who uses HMailServer, start reading here - http://www.hmailserver.com/forum/viewtopic.php?f=7&t=26276

    Anyone and everyone will need to check with the developers of all software packages to find out if updates are needed.

    • 1