On Wed, Apr 09, 2014 at 05:54:33PM -0400, Victoriano Giralt wrote:
> I'd like to 'hear' Wietse's and Victor's opinion on how could
> this nasty bug affect a TLS service like submission?
In pretty much the same way that it applies to web services.
* SSL/TLS Private keys may be compromised.
* GSSAPI SASL Kerberos keys may be compromised.
* User passwords may be compromised.
* SSL session keys may be compromised.
* Recently received email messages whose (partial?) content is
still in memory may be compromised.
* ...
It is interesting to note that Postfix always wipes memory as it
is released (de-allocated) back to the heap. So, one might think
that Postfix is safe, but the plaintext buffers that Postfix reads
from OpenSSL are allocated and deallocated by OpenSSL, not Postfix.
OpenSSL by default uses the C library malloc/free functions without
generally wiping memory passed to free(). So anything read from
a remote client may be available via this attack to a different
client.
Also anything that is still allocated on the heap (depending on
timing and memory layout details too difficult to predict) may be
disclosed. Thus private keys which are read early might be less
likely to be disclosed if memory for SSL packets is always further
down the heap, but the analysis to determine this to be true would
be rather difficult and conditioned on too many details to apply
broadly.
Postfix could have employed the OpenSSL feature that allows
applications to supply their own malloc/free to prevent leakage of
data in freed memory, and perhaps I'll look into that, but it is
a bit late to close that barn door. This would have limited
disclosure to just data remaining in memory (such as the SSL private
keys, possibly Kerberos keys for GSSAPI SASL auth, ...).
> I suppose that the answer would very well be that "it depends on
> the availability of exploits", but ...
Exploits for SMTP with STARTTLS are not substantially different
from exploits for HTTPS. They are available.
- Upgrade to 1.0.1g ASAP if running 1.0.1--1.0.1f, and/or re-compile
OpenSSL with -DOPENSSL_NO_HEARTBEATS
- Replace server TLS private keys and certificates.
- Consider asking users to change SASL PLAIN/LOGIN auth passwords.
- Change all GSSAPI server keys *and* after any extant tickets expire,
purge the old keys from the keytab file.
--
Viktor.
