Topic: OpenSSL vulnerability [SME 8.x not affected, SME 9 Beta had update available]

[Anders]

Just a little information about the OpenSSL security problems if anyone is interested.

Source: https://www.us-cert.gov/ncas/alerts/TA14-098A


//

[craig]

Hi,

Thanks for that Anders, I have been looking about for information.

Just to confirm, this only affects version 1.0.1 to 1.0.1f? As we are on 0.9.8e (under SME 8.1), then we are OK on this?

Craig.

[marsa_matruh]

[root@... ~]# rpm -qa|grep openssl
openssl-0.9.8e-27.1.el5.sme

SME Server release 8.1

You're right Graig

[craig]

Thanks, I did check on the command line, but thought it prudent to double check with it being such a significant security issue.

Craig.

[CharlieBrady]

Thanks, I did check on the command line, but thought it prudent to double check with it being such a significant security issue.

Please communicate all security concerns via email to security at contribs.org. Publicising security vulnerabilities before they have been patched is irresponsible.

[Xavier.A]

@CharlieBrady
do not publish this kind of information is not a good security practice.... the good method is to publish and to inform customer for this security risk
for example, this is the good practice :

Dear ...,

there are news [1] about a bug in OpenSSL that may allow an attacker to
leak arbitrary information from any process using OpenSSL. [2]

We contacted you, because you have subscribed to get general announcements,
or you have had a server certificate since the bug was introduced into the
OpenSSL releases and are especially likely to be affected by it.

CAcert is not responsible for this issue. But we want to inform members
about it, who are especially likely to be vulnerable or otherwise affected.


Good news:
==========
Certificates issued by CAcert are not broken and our central systems did
not leak your keys.


Bad news:
=========
Even then you may be affected.

Although your keys were not leaked by CAcert your keys on your own systems
might have been compromised if you were or are running a vulnerable version
of OpenSSL.


To elaborate on this:
=====================
The central systems of CAcert and our root certificates are not affected by
this issue. Regrettably some of our infrastructure systems were affected by
the bug. We are working to fix them and already completed work for the most
critical ones. If you logged into those systems, within the last two years,
(see list in the blog post) you might be affected!

But unfortunately given the nature of this bug we have to assume that the
certificates of our members may be affected, if they were used in an
environment with a publicly accessible OpenSSL connection (e.g. Apache web
server, mail server, Jabber server, ...). The bug has been open in OpenSSL
for two years - from December 2011 and was introduced in stable releases
starting with OpenSSL 1.0.1.

When an attacker can reach a vulnerable service he can abuse the TLS
heartbeat extension to retrieve arbitrary chunks of memory by exploiting a
missing bounds check. This can lead to disclosure of your private keys,
resident session keys and other key material as well as  all volatile
memory contents of the server process like passwords, transmitted user data
(e.g. web content) as well as other potentially confidential information.

Exploiting this bug does not leave any noticeable traces, thus for any
system which is (or has been) running a vulnerable version of OpenSSL you
must assume  that at least your used server keys are compromised and
therefore must be replaced by newly generated ones. Simply renewing
existing certificates is not sufficient! - Please generate NEW keys with at
least 2048 bit RSA or stronger!

As mentioned above this bug can be used to leak passwords and thus you
should consider changing your login credentials to potentially compromised
systems as well as any other system where those credentials might have been
used as soon as possible.

An (incomplete) list of commonly used software which include or link to
OpenSSL can be found at [5].


What to do?
===========
- Ensure that you upgrade your system to a fixed OpenSSL version (1.0.1g or
above).
- Only then create new keys for your certificates.
- Revoke all certificates, which may be affected.
- Check what services you have used that may have been affected within the
last two years.
- Wait until you think that those environments got fixed.
- Then (and only then) change your credentials for those services. If you
do it too early, i.e. before the sites got fixed, your data may be leaked,
again. So be careful when you do this.


CAcert's response to the bug:
=============================
- We updated most of the affected infrastructure systems and created new
certificates for them. The remaining will follow, soon.
- We used this opportunity to upgrade to 4096 bit RSA keys signed with
SHA-512. The new fingerprints can be found in the list in the blog post.

- With this email we contact all members, who had active server
certificates within the last two years.
- We will keep you updated, in the blog.

A list of affected and fixed infrastructure systems and new information can
be found at:

https://blog.cacert.org/2014/04/openssl-heartbleed-bug/


Links:
[1] http://heartbleed.com/
[2] https://www.openssl.org/news/secadv_20140407.txt
[3] https://security-tracker.debian.org/tracker/CVE-2014-0160
[4]
http://www.golem.de/news/sicherheitsluecke-keys-auslesen-mit-openssl-1404-105685.html
[5] https://www.openssl.org/related/apps.html

Users of SME Server (newbie or not) are your customers so you have to inform them even if you are just a developper and not a IT security ingeneer. How many SME Server users (customers) are subscriber to newsletters of contribs.org ?

It would be a good practice to publish an announcement on this forum to re-insure that the openssl version is not affected by this risk

Regards

[wellsi]

@CharlieBrady
do not publish this kind of information is not a good security practice.... the good method is to publish and to inform customer for this security risk
for example, this is the good practice :
Users of SME Server (newbie or not) are your customers so you have to inform them even if you are just a developper and not a IT security ingeneer. How many SME Server users (customers) are subscriber to newsletters of contribs.org ?

It would be a good practice to publish an announcement on this forum to re-insure that the openssl version is not affected by this risk

Regards

When the openssl issue became known the security team looked at it and realised two things:

1) SME Server 8.1 was not affected

2) SME Server 9.0 Beta 3 was affected and the updated openssl package was available from upstream. Beta 4 was rebuilt to include the latest openssl.

So far SME Server has not announced upstream security issues. We can consider this policy again. The security announcements from RedHat were public.

[Xavier.A]

So far SME Server has not announced upstream security issues. We can consider this policy again.

You talked about it at http://bugs.contribs.org/show_bug.cgi?id=8318

But nothing will be done about communication for your SME Server users, as usual
 
May be the Clear Foundation did it for their users/customers? : http://www.clearfoundation.com/ClearFoundation-Blog/481-openssl-heartbeat-fix-available.htm

Some of you should make a choice : to be SME or to be ClearOS but not both !

• - http://www.clearfoundation.com/Foundation/core-team-honor-roll.html
  

For this kind of problem, your users need a real security communication team, no? The developpers should really work for SME and not for the ClearOS interest.

It's just my opinion

[janet]

kid_of_leognan

You comments seem inappropriate to me.

This issue was handled adequately & in a timely fashion by the security team.
No fix was required for sme 8, & as sme9 is in beta, a fix was provided in the latest sme9beta4 released today.
Information about Heartbleed & OpenSSL has been discussed in mailing lists, forums & bugzilla, so your claims of "No information given to users" is incorrect.

The security policy of contribs.org/smeserver/koozali is a long standing one, where security issues are not publicly promoted until after the matter has been assessed & necessary releases fixed.
The point of view taken, is that there is no point publicising a hole in the wall before anyone can fix it, as that only invites burglars in.

Community members are free to be active in whatever number of online communities they choose, without needing you to say otherwise.
I see certain peoples involvement in ClearOS as supportive of their contribution to sme server, so that's a good thing in my point of view.

You are free to have an opinion, but please be careful about the accuracy or inaccuracy of what you say & claim.

PS I thought I read elsewhere in these forums that you wanted out of this community & did not wish to contribute further, & even wanted all your posts & username deleted, so why are you still here making inappropriate comments ?