Date: Thu, 10 Apr 2014 13:33:47 +0300 From: Kimmo Paasiala <kpaasial@icloud.com> To: freebsd-security@freebsd.org Cc: Dirk Engling <erdgeist@erdgeist.org> Subject: Re: http://heartbleed.com/ Message-ID: <680DECA1-4AD9-4B40-8F82-68E8499C01BB@icloud.com> In-Reply-To: <5344020E.9080001@erdgeist.org> References: <53430F72.1040307@gibfest.dk> <53431275.4080906@delphij.net> <5343FD71.6030404@sentex.net> <5344020E.9080001@erdgeist.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On 8.4.2014, at 17.05, Dirk Engling <erdgeist@erdgeist.org> wrote: > On 08.04.14 15:45, Mike Tancsa wrote: > >> I am trying to understand the implications of this bug in the >> context of a vulnerable client, connecting to a server that does not >> have this extension. e.g. a client app linked against 1.xx thats >> vulnerable talking to a server that is running something from RELENG_8 >> in the base (0.9.8.x). Is the server still at risk ? Will the client >> still bleed information ? > > If the adversary is in control of the network and can MITM the > connection, then yes. The client leaks random chunks of up to 64k > memory, and that is for each heartbeat request the server sends. > > erdgeist > Going back to this original report of the vulnerability. Has it been established with certainty that the attacker would first need MITM capability to exploit the vulnerability? I’m asking this because MITM capability is not something that just any attacker can do. Also if this is true then it can be argued that the severity of this vulnerabilty has be greatly exaggerated. -Kimmo [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJTRnOPAAoJEFvLZC0FWRVpFY0H/3Sek6VeBBJJEoUMyAtCT7i1 XEFOAqW69Qs5n4Frp2psjmjwSxUxJphWgE+/izzYDOfxV76yqDSvNJDAxdZG57gR bjt1ASSCFGuLxIuZ9h8F3PlausBn83M30ycv67g5h/mwKw3lSVmi5FRbELLk2QXu zDjBTKKmzjD5mIp2IjSTlK8WaT5GWPIZh1RMNYGHN161WL097wjfbORMXXfAT3Ys 60dXFxUdv6Fs345z9zy+g4A58/K4FCAfbfGZajdPIQecwPzzBC9um2H1oKPHSDgE 9M5Gnn39i5loRRSGAbpfwRCMS98RdLb45sQQtiSAekFDoFiOBE/CONKY85cMVA0= =cZAw -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?680DECA1-4AD9-4B40-8F82-68E8499C01BB>