[Slackbuilds-users] Cauterizing heartbleed (CVE-2014-0160)
mancha
mancha1 at hush.com
Sat Apr 12 07:06:15 UTC 2014
B Watson <yalhcru at ...> writes:
> On 4/12/14, mancha <mancha1 at ...> wrote:
> > After identifying candidates, we can worry about whether the bundled
> > or statically-linked OpenSSLs are vulnerable or not.
>
> Possibly stupid question but I'll ask it anyway. Are clients even
> vulnerable? Everything I've seen about heartbleed (and I haven't
> really researched in detail either) talks about attacks against
> vulnerable servers... is it possible for a malicious server to exploit
> an unpatched client?
>
Heartbeats are basically pings for [D]TLS and they can originate at
either the client or server. So, yes, clients are "heartbleedable".
In fact, you can use this python script to set up a listener and point
your favorite OpenSSL-linked clients (e.g. wget, curl, etc.) at it:
https://github.com/Lekensteyn/pacemaker
--mancha
More information about the SlackBuilds-users
mailing list