← Back to context

Comment by gojomo

12 years ago

Does SSH (specifically sshd) on major OSes use affected versions of OpenSSL? [answer pulled up from replies below: since sshd doesn't use TLS protocol, it isn't affected by this bug, even if it does use affected OpenSSL versions]

What's the quickest check to see if sshd, or any other listening process, is vulnerable?

(For example, if "lsof | grep ssl" only shows 0.9.8-ish version numbers, is that a good sign?)

12 comments

gojomo

Reply
tptacek  12 years ago

The bug is in the handling of the TLS protocol itself (actually, in a little-used extension of TLS, the TLS Record Layer Heartbeat Protocol), and isn't exposed in applications that just use TLS for crypto primitives.

  • whyleyc  12 years ago

    Sooo in layman's terms - we only need to be worrying about HTTPS and not SSH ?

    • aegiso  12 years ago

      Yes and no.

      First off, TLS is crypto bread-and-butter that's used for a lot more than HTTPS. You're not out of the woods because you're not running a webserver.

      Second, SSH itself doesn't use TLS; it has its own protocol, so sshd isn't vulnerable.

      But third, read overflows like this can be escalated in countless ways to total compromise if some credential, key, canary, or such gets leaked. So just because sshd isn't vulnerable doesn't mean you're not screwed.

    • amalcon  12 years ago

      Not only HTTPS. Many other protocols are TLS-based: modern email, some VPNs, etc. Really almost everything secret on the Internet is protected by TLS; SSH is a rare exception.

  • sliverstorm  12 years ago

    Ok, so is TLS Heartbeat accessible in every service that uses TLS?

    The big one that comes to mind aside from https is smtp/tls, e.g. port 587

    Edit: Apparently a PoC on STARTTLS has already been written, so smtp/tls is definitely vulnerable