I just updated a Debian Wheezy server for the first time today, after the heartbleed bug. OpenSSL is not installed on this server, so I thought the server was not affected, and therefore it was put on the low priority list.
In the process of updating the server, I realize that the library 'libssl' with the heartbleed bug is installed on the server, and OpenSSH depends on this vulnerable library. The OpenSSH server was even restarted automatically. The OpenSSH server configured to accept passwords, is the only service facing the Internet on this machine.
Is there any chance that this server has been compromised, in any way as a cause of the heartbleed bug?
Before asking this question I have of course been searching to find an answer, but almost all question regarding OpenSSH and heartbleed is from April 8, and the answers to if OpenSSH is affected are something like: "it could be affected", "it's probably not affected", "I don't think OpenSSH affected" "anything that links with libssl is affected" etc. so no clear answer.
Answer
In short: SSH does not use TLS and as such, is not subject to the heartbleed vulnerability.
The OpenSSH server configured to accept passwords, is the only service
facing the Internet on this machine.
Don't do that.
Is there any chance that this server has been compromised, in any way
as a cause of the heartbleed bug?
The magic eight ball says: My sources say no.
No comments:
Post a Comment