On 04/10/2014 12:33 AM, Scott Howard wrote:
What about binaries that might have OpenSSL statically linked? Even if you update the system libraries you could still be vulnerable.
These are rare to me. ls -la x_file + ldd x_file on the binary might show couple marks for it. In general most CentOS builds are supporting dynamically linking libraries rather then statically embedded them. These do consider the case of an update for performance etc. If it's a custom software that is vulnerable I think that the exploit can be blocked using couple iptables u32 rules but I am not sure how to do that.(connection marking and phases of the connection) I might have not seen that the issue requires more then a simple iptables rules and might need a whole module but the idea is that test only what you know that should be tested and don't run to start a career in Pen-Testing. All The Bests, Eliezer