This week, a serious vulnerability in the OpenSSL library had been announced to the world. As OpenSSL is used to provide SSL encryption for systems like Apache, this means that any website with a secure (HTTPS) version may potentially be vulnerable. Nicknamed “heartbleed”, this vulnerability allows hackers to obtain limited information which shouldn’t normally be exposed. This can include things like your username and password when entered into a secure login and cookie based information which validates some logins.
What has Conetix done?
As we have invested considerable time and effort into maintaining our infrastructure, we constantly monitor a number of security mailing lists as well as receive notifications from all of our vendors who supply us with software and hardware. We take security very seriously, especially when it comes to protecting customer information.
Upon notification of the OpenSSL exploit (on the 8th of April 2014) we began conducting a threat assessment on the issue. As both the likelihood and consequence were rated as high, we began immediately implementing a rollout plan to assess the vulnerability across our systems as well as an unscheduled maintenance plan to correct it.
The good news is that most of our core systems (such as our billing and control system) weren’t vulnerable. Some of the remaining systems which could possibly be exploited were placed into the maintenance plan and patched within a few hours of the original notification.
Do I need to do anything?
If you’re a shared hosting or managed hosting customer of Conetix, there’s nothing you need to do. We have already patched these systems to ensure the vulnerability has been fixed. Further to this, any client who has used the CloudFlare system was automatically protected.
We do however suggest you exercise caution when entering your username and password into other sites not managed by Conetix. As an estimated one third of all secure sites may be vulnerable, it could mean that the details you enter into someone else’s website could be compromised. Check to see if that company has made any statement in regards to the patching of their systems.
As of the 8th of April 2014, the only remaining vulnerable systems within Conetix are customer VPS’s. We have been working with customers to help correct this issue and running the updates on their behalf to assist where possible. If you have a server with Conetix running CentOS 6.5, you can run the following:
yum clean all yum install openssl service httpd restart
This will ensure the latest version of the OpenSSL libraries are installed, then restart Apache (the web server) to ensure that these new libraries are loaded.
Update: All customer VPS's have been successfully patched.
Update 2: Since it's been confirmed that the private key for SSL certificates could be extracted, we are offering free SSL replacements for all affected customers. This includes the installation too, we want to ensure our customers are fully protected. Please just contact our support team to organise.
Update 3: The Conetix core firewall now blocks all Heartbleed vulnerabilities automatically. This feature was enabled just a days after the public disclosure of the bug.
Want to know more?
There’s lots of information starting to appear across various sites on the Internet. Here’s some of the best for more information:
The Heartbleed Bug
This is the original notification with a thorough overview of the problem as well as how to identify and correct it.
Heartbleed Test Website
This site will help test your site to determine if you’re vulnerable or not.
Diagnosis of the OpenSSL Heartbleed Bug
This details down to a source code level how the bug occurred and why it has occurred. A very informative read for those who understand C code.
If you are in any doubt or need to confirm your system has been updated, please don’t hesitate to contact the Conetix support team.