OpenSSL Heartbleed vulnerability
CVE-2014-0160
A serious vulnerability in OpenSSL was publicly released on 7th April. Please see http://heartbleed.com/
and https://access.redhat.com/security/cve/CVE-2014-0160 for full details.
All affected M.D.G. IT servers should now have the patched version of OpenSSL installed. You can verify that your website is running a secure version of OpenSSL at this link: http://filippo.io/Heartbleed/
Our research indicates that the vulnerable code has been in use on CentOS 6.5 (earlier versions of CentOS are unaffected) since 23 November 2013. This means that sites running SSL on CentOS 6.5 have been vulnerable for approximately 4.5 months. The actual vulnerability was not publicly disclosed, however, until 7th April 2014.
The question now remains as to how to respond to this situation. From a technical point of view, the most thorough response would involve, in the following order:
- Rekeying all SSL certificates in use and revoking the previous certificate. This is because it is possible that the private key of an SSL certificate on a server running vulnerable versions of OpenSSL has been disclosed.
This would require someone actually exploiting the vulnerability on a given server, either in the ~24 hours between public disclosure of the vulnerability and the patched versions of OpenSSL being applied, or earlier if this vulnerability was known to private parties before being publicly disclosed.
The private key would then allow either a man-in-the-middle attack or the ability to eavesdrop on an SSL session secured by this key and decipher it. Both of these would require access to the network data being transmitted between a visitor and the server. Our opinion is that rekeying certificates is probably unnecessary, considering the relatively low chance of a key being discovered, and because the network access required to eavesdrop on or spoof traffic to exploit this is very difficult for an attacker to gain.
- Resetting all Magento admin user passwords. It is possible that the data leaked by this vulnerability included admin passwords. We advise all users to reset all Magento admin passwords.
- Resetting all user passwords. The assumption is that no Magento store should be storing credit card details. Considering this, and the realistic likelihood of user accounts being compromised, our opinion is that in the absence of any indication that a user account has been breached the public perception problems involved in resetting all user account problems may outweigh the low risk of user accounts being compromised.
The www.mdg-it.com.au website and client area run OpenSSL 0.9.8, and are not affected by this vulnerability—no M.D.G. IT SSL certificates or user accounts were at risk.
Wednesday, April 9, 2014