Comment by lawl
12 years ago
Holy shit. That seems worse than the debian openssl debacle.
If i got that right ALL openssl private keys are now potentially compromised.
I hope vendors push fixes soon, and then I guess I'm busy for a few days regenerating private keys.
Oh it's even worse, basically every secret you had in your server processes' RAM was potentially read in real-time by an attacker for the last 2 years.
Isn't there any memory protection on Linux? Something running as www-data shouldn't be able to read the ssh-server's RAM?
So it's bad, but it's not that bad unless something exposing this bug (webserver with ssl, vpn, or other service) runs as root?
It can only access memory of the process running openssl. So if you got nginx in front of your webprocesses they are protected. However anything in the nginx process is accessible (e.g certificates).
It might be able to read the memory of the ssl server that's making the response. Including maybe the ssl private key
1 reply →
Unless you used forward secrecy, which you should anyway in case of a key compromise. Key compromises can happen in many ways.