OpenSSL HeartBleed Bug Status

OpenSSL HeartBleed Bug Status

Introduction

Network security is important to INFINETIX.  The OpenSSL HeartBleed bug is actively being exploited, and is getting significant press in the news.  INFINETIX is using SSH as our primary access from the outside world to our customers’ services and Intellectual Property (e.g. Subversion code repositories, Bugzilla and other internal web services).   SSH uses the OpenSSL library for key generation, however SSH is not exploitable via the HeartBleed bug.  Also the OpenSSL version on the INFINETIX primary SSH server was not exploitable.

Please note that as an INFINETIX customer, you will have to take steps to secure your SSH private key. To learn more about what to do and why, read the section below titled INFINETIX SSH/SVN/Bugzilla Users: Action Required!

To read up on some of the security issues associated with this issue, a good forum is:

http://security.stackexchange.com/questions/55076/what-should-a-website-operator-do-about-the-heartbleed-openssl-exploit

All internal servers at INFINETIX have now been updated to insure they incorporate the latest fix for the HearBleed bug issue.

Customer Product Vulnerability:

Any Linux and/or Android based webserver/mailserver product that supports TLS/SSL connections is potentially vulnerable to this issue.  Since INFINETIX has developed products with TLS/SSL services, we are examining those systems for vulnerabilities now.  Some systems may have a vulnerable version of OpenSSL, but not be vulnerable, because the web services are not enabled.  If you have concerns with your particular product, please contact us at 509-922-5629, or email your normal primary contact.

INFINETIX Website Vulnerability:

Our website http://www.infinetix.com is hosted via an outside service.  Currently no customer information is stored there.

 SSL is enabled by default on this server, but we currently only use SSL for internal blog postings login.  Also the version of SSL used is not vulnerable to the HeartBleed bug.

 Other Website Vulnerability:

OpenSSL is widely used by many services and companies.  Because of this it’s recommended to update your passwords on all services you currently use, once the heartbleed bug is corrected.

CNET has a great article and the current status of many popular websites, if they were vulnerable, and if they have a fix in place:

 http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

http://security.stackexchange.com/questions/55076/what-should-a-website-operator-do-about-the-heartbleed-openssl-exploit

 Digitaltrends.com has another good article and can let you test particular websites for the heartbleed bug.

http://www.digitaltrends.com/computing/check-favorite-websites-vulnerable-heartbleed-bug/#!DwzYl

INFINETIX SSH/SVN/Bugzilla Users: Action Required!

As stated in the introduction, SSH used on our servers was not directly exploitable by the SSL bug, however private keys on individual customers systems may have been compromised on  systems outside of our control.  As such, we will be revoking all old public keys on April 19, and require new 2048 bit SSH2-RSA keys moving forward.

If you currently have access to one of the INFINETIX hosted services, please update your private key using the instructions from the “Accessing INFINETIX Repositories” document and send us your new public key as instructed.

 

Comments are closed.