Contact
Site: US UK AU |
Nexcess Blog

CVE-2014-0160 (Heartbleed) Patched on Nexcess Systems

April 8, 2014 2 Comments RSS Feed

As of 1:45AM EDT on April 8, 2014, all Nexcess managed systems vulnerable to CVE-2014-0160 (Heartbleed) were patched. This security vulnerability is widespread with multiple operating systems globally and not a Nexcess-specific issue.

CentOS released an official OpenSSL patch removing the recently discovered vulnerabilities. OpenSSL was upgraded seamlessly. However, all services linked against the older vulnerable version of OpenSSL had to be restarted to apply the newly patched OpenSSL version. These services include: Apache, PHP-FPM, InterWorx and mail services (imap4-ssl, pop3-ssl, smtp, smpt2) and there was a very brief service interruption as these services were restarted.

The online Heartbleed testers such as http://possible.lv/tools/hb/ simply connect to the server and see if the heartbeat feature is enabled. The CentOS patch installed on our systems (https://bugzilla.redhat.com/attachment.cgi?id=883475) actually fixed the issue vs. simply disabling the heartbeat feature altogether. This means while the system is indeed patched, the online checkers will still show the system as vulnerable as they can’t tell if you are running the patched version or not since there is no known PoC to test against.

Posted in: Linux, Nexcess, Security
  • track23

    Thanks for the update.

  • Security concerns regarding SSL certs do still exist as the exploit was around for several years making it unclear as to how many people had actually known about it. Since there is no way to detect if a site had any data exploited due to this recent OpenSSL vulnerability, the possibility does exist for privileged data to be leaked including SSL private keys and passwords. This privileged data cannot simply be easily captured, it would require a targeted attack against your site to actually obtain any useful data. While an attack would be difficult and unlikely, we cannot guarantee that any SSL certificate has not been compromised especially since many PoCs have been released since the original post was made. This also holds true for any user account passwords used over SSL as passwords have the possibility to show up in data returned via this exploit.

    Due to these concerns, we recommend that you generate new SSL certificates for sites affected by the OpenSSL exploit. Once the new SSL certificate is installed, we then recommend changing passwords for any accounts used over SSL on that server. We have already been contacting all of our clients letting them know that we are generating new SSL certs if the cert was purchased through us. If you did not purchase the SSL through Nexcess, you will need to contact your SSL vendor and ask them to re-key the certificate for you. We can then assist in installing the re-keyed certificate if needed.