From owner-freebsd-security@FreeBSD.ORG Sat Apr 26 18:33:38 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 21335475 for ; Sat, 26 Apr 2014 18:33:38 +0000 (UTC) Received: from mail-la0-f48.google.com (mail-la0-f48.google.com [209.85.215.48]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 845C51772 for ; Sat, 26 Apr 2014 18:33:36 +0000 (UTC) Received: by mail-la0-f48.google.com with SMTP id gf5so3900981lab.21 for ; Sat, 26 Apr 2014 11:33:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=YQg3IV2X8SP2LvfByXfi/5jHDXogs6l0V0OUq9Jg1y8=; b=Jt+obz5qC1gvn3j3nBYH/VZN2eKF3CnSDU5wyMpqNY3HZZWapsiD+0tINq3Tpsu9SX eSyVcRbIdck3Zxgy9jISTtI4FfaiZCykvjiGLlUEbh5eptlzsjn775qSlJz3cTenizCH s+ktHh3v9nqwqKrx7Bzd3Tixy0T4LKNxIkiv7Mt/b7YiToesfut4C6EGPJkt8fRs7JMA Zi/EX876RVChpeHgdws0mjO9JMK7VMmfyfY/41hFSyPy6kA4ZJutqV6MtqKuEcpmpxlA MNOjj6XEM1pg6b/cyiYG7cATtDV+fpw5meSV46VBXk00tBwf4I8ArlXAbRV9fzF/3VNM DNbw== X-Gm-Message-State: ALoCoQnkTCr25mdby7CNXeLOeFPxc/mPuPhaDBLP1P9WjV0RCcXlG5CVT4V0ENY45hyHT9IHZpMJ MIME-Version: 1.0 X-Received: by 10.112.137.5 with SMTP id qe5mr10596701lbb.16.1398537208400; Sat, 26 Apr 2014 11:33:28 -0700 (PDT) Received: by 10.112.39.71 with HTTP; Sat, 26 Apr 2014 11:33:28 -0700 (PDT) X-Originating-IP: [208.54.40.253] Received: by 10.112.39.71 with HTTP; Sat, 26 Apr 2014 11:33:28 -0700 (PDT) In-Reply-To: References: Date: Sat, 26 Apr 2014 13:33:28 -0500 Message-ID: Subject: RE: am I NOT hacked? From: Leif Pedersen To: Joe Parsons Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Apr 2014 18:33:38 -0000 The vulnerability is contained by the process's memory space, since one process cannot read another's memory by merely referencing it (although with exec priv a process can inspect another ...doesn't apply here). OpenSSH doesn't use OpenSSL, nor does su, so passwords aren't vulnerable when typed into them. If your mail server uses the OpenSSL port/pkg and password authentication, then passwords of users who logged in were vulnerable and need to be changed. Those passwords may have subsequently been used to log in so check their accounts for unwanted .ssh/authorized_keys that an attacker may have dropped in for a back door. If one of those passwords allows root access...consider tje system fully compromised. On 2014-04-26 1:05 PM, "Joe Parsons" wrote: > Ok, thanks a lot for all your kind help. I learned the pwd_mkdb manpage > and the databases as you suggested. > > To clarify, I understand 9.1 kernel contains the non-vulnerable version of > openssl library, hence mere apache/https is not vulnerable. However the > vulnerable openssl port is installed for the mail software to provide > imaps/pops/smtps services, so they are vulnerable. > > The following reply is what I'm confused: > > In any case, heartbleed does *not* facilitate remote code execution or > > code injection, only information retrieval, so unless your passwords > > were stored in cleartext (or a weakly hashed form) in the memory of an > > Internet-facing SSL-enabled service (such as https, smtp with STARTTLS > > or imaps, but not ssh), you cannot have been "hacked" as a consequence > > of heartbleed.I ssh into the system, and I /usr/bin/su to become root. > Do my shell passwords show up in in clear text in the memory briefly, so > the attacker could happen to harvest them? In another word, on a system > with the vulnerable openssl port, do we need to change the shell password > for root and other users, if these passwords are ONLY used in ssh and > /usr/bin/su ? > > I googled and found few result, almost all are focused on changing user > mail passwords and server certificates. Only found this page said they > changed server root password: > > http://digitalopera.com/geek-rants/what-were-doing-to-combat-heartbleed/ > > Thanks, Joe > > > From: bilbo@hobbiton.org > > Date: Sat, 26 Apr 2014 12:02:05 -0500 > > Subject: Re: am I NOT hacked? > > To: jp4314@outlook.com > > CC: freebsd-security@freebsd.org > > > > Joe, > > > > Just thinking about this practically, I don't think you were compromised. > > It seems more like you goofed the upgrade in the same way on each VM. > Also, > > if I were attacking, I wouldn't leave such overt traces that one would > > immediately notice. And if the attacker were goofing up that badly, he'd > > likely not do it the same way on every VM. Not that assuming anything > about > > an attacker's intelligence guarantees anything, but it does seem like an > > odd thing to do. Not to mention other's comments about pre-10 not being > > vulnerable, and local compromise requiring that your password or SSH key > > was read by a process serving SSL sockets. > > > > If you decide it's likely your system was compromised while it was > > vulnerable, shutting off the system is a priority to stop ongoing > damages. > > Then you have to mount its disks in a clean system so that whatever bad > > stuff (bots, backdoors, etc) the attacker added don't just start again at > > reboot, and to be sure the attacker doesn't merely add backdoors back > while > > you take them away. It's hard to be sure you fixed every single file that > > was touched ...executables, dynamic libs, configs, and much more contain > > subtle ways to leave a back door, and one could even patch the kernel to > > hide a malicious process in memory. Starting from a fresh install and > > copying your data over is really the quickest and safest approach. Since > > "restore your data" usually means home directories, be sure to check > > everyone's .ssh/authorized_keys for unwanted entries before copying. > > > > Try "man pwd_mkdb" for info on the password database; especially look > under > > the "FILES" heading. It's a good subsystem to know more about anyway, and > > not complicated. It is perhaps easier to remember that using vipw to add > a > > blank line will sync everything than to remember the cryptic "pwd_mkdb -p > > /etc/master.passwd" command though. > > > > Actually having a machine compromised is no fun; I've been there. I do > hope > > that's not the case for you. > > > > - Leif > > > > > > On Sat, Apr 26, 2014 at 4:55 AM, Joe Parsons wrote: > > > > > I was slow to patch my multiple vms after that heartbleed disclosure. > I > > > just managed to upgrade these systems to 9.2, and installed the patched > > > openssl, then started changing passwords for root and other shell > users. > > > However I realized that, only the root password was changed. For > other > > > users, even though the "passwd userid" issued no warning, and "echo > $?" is > > > 0, the password is NOT changed. > > > > > > For more debugging, I tried to "adduser", the command was successful, > and > > > I can see the new entry "test" in /etc/passwd. However "finger test" > > > complains no such user! Also, "rm test" complains there is no such > user to > > > delete as well. > > > > > > Furthermore, the mail server got problem sending email, the log file > said > > > there is no such user "postfix", and sure enough: > > > > > > # finger postfix > > > finger: postfix: no such user > > > > > > while this "postfix" user certainly existed for years, and I can see > see > > > its entry in /etc/passwd. > > > > > > This appeared to all the multiple vms on multiple hosts, all running > > > FreeBSD 9.2 now. > > > > > > I was paranoid, I really should have patched all these systems > immediately > > > reading that heartbleed news, as all these servers had the vulnerable > > > openssl port installed! > > > > > > Until googling and I found this: > > > > > > https://forums.freebsd.org/viewtopic.php?&t=29644 > > > > > > it said "The user accounts are actually stored in a database. It's > > > possible it got out of sync with your [file]/etc/passwd[/file] file.", > and > > > it suggested running "vipw" to fix it. > > > > > > I ran vipw, then saved, and quit. No joy. Then ran vipw again, made a > > > change, then undid the change, save again. Now "finger postfix" found > the > > > user, and I can change user password now, and all the above problem > > > disappeared. > > > > > > Am I right that, that I am NOT hacked? Is the above problem produced > by > > > the freebsd-update process? Is this supposed to happen? I just > followed > > > the handbook to update from 9.1-RELEASE to 9.2-RELEASE, never compiled > > > kernel or tweak. > > > > > > Thank you! Joe > > > > > > _______________________________________________ > > > freebsd-security@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > > To unsubscribe, send any mail to " > freebsd-security-unsubscribe@freebsd.org > > > " > > > > > > > > > > > -- > > > > As implied by email protocols, the information in this message is > > not confidential. Any middle-man or recipient may inspect, modify, > > copy, forward, reply to, delete, or filter email for any purpose unless > > said parties are otherwise obligated. As the sender, I acknowledge that > > I have a lower expectation of the control and privacy of this message > > than I would a post-card. Further, nothing in this message is > > legally binding without cryptographic evidence of its integrity. > > > > http://bilbo.hobbiton.org/wiki/Eat_My_Sig > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to " > freebsd-security-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " >