Last updated: 
2 weeks 6 days ago
Blog Manager
We are the Computer Security and Incident Response Team (CSIRT) for the Janet network. Part of Jisc's Security Operations Centre, our mission is to safeguard the current and future network security of Janet (steering the security policies for all Janet connections) and of our customers, creating a secure environment to conduct your online activities. Our primary function is monitor and resolve any security incidents that occur on the Janet network, with specialists tracking a range of platforms, including Unix, Linux and Windows.

Heartbleed OpenSSL Vulnerability CVE-2014-0160

Thursday, April 17, 2014 - 14:49

We have responded to the announcement of the OpenSSL vulnerability today, 8th April 2014.

Technical advice (detailed below) has been issued to colleagues across the sector to assist them in responding to this vulnerability.

In addition, replacement certificates, for those organisations affected by this vulnerability, will be issued at no cost by the Janet Certificate Service. If your organisation is affected by the OpenSSL vulnerability and is taking steps to address this, and requiring a replacement certificate, then please visit the following url for further information.

https://community.ja.net/groups/janet-certificate-service/article/how-claim-back-your-certificate-credit

Technical advice

Versions of OpenSSL 1.0.1 through to 1.0.1f have a critical vulnerability, which can be used to force the server to disclose its private key, and other sensitive material.

The effort and resources required to execute this attack are trivial and leave no evidence trail.

This affects all modern operating systems running the affected version of OpenSSL, including Solaris, CentOS, Ubuntu, and Debian - therefore will affect any services based on these platforms.

All services relying on these versions of OpenSSL should be considered at risk, including SSL VPNs, RADIUS, HTTPS, IMAP, SMTP, XMPP .....

Proprietary appliances (such as Systems & DNS Management tools) may also be running affected versions of OpenSSL.

We have confirmed that ESXi 5.5 is vulnerable to this and access to this should be heavily restricted until a patch is available.

If a patch is available, it should be applied immediately. Otherwise access to any affected services should be heavily restricted or disabled.

Further information on the vulnerability is available at the following URLs

http://www.kb.cert.org/vuls/id/720951

http://heartbleed.com/

If you identify a system that is vulnerable to this exploit our advice is to:

1) Patch the system first either by installing a patched version of OpenSSL (1.0.1g and 1.0.2-beta2) or by compiling with the - -DOPENSSL_NO_HEARTBEATS flag

2) Generate a new private key

3) Replace the certificates on the concerned system (Including revoking the old certifacte).

Any queries then please contact us at irt@csirt.ja.net

Comments

We have had a discussion about the versioning within CentOS,

After looking at the update they have done thay have recompiled the existing package with the  -DOPENSSL_NO_HEARTBEATS flag and as such they have not used a new version of OpenSSL and so the latest version of OpenSSL 1.0.1e-fips in CentOS is safe to use.

Quick clarification:

Both, vulnerable and patched openSSL versions are 1.0.1e-fips.

Vulnerable rpm openSSL package is openssl-1.0.1e-16.el6_5.4.x86_64 (for 64bit system)

Patched: openssl.x86_64 0:1.0.1e-16.el6_5.7