On April 7, 2014 a vulnerability (CVE-2014-0160, also known as “Heartbleed”) was released that could allow attackers to view sensitive information in a server’s memory such as secret keys and passwords. Given the severity of this problem, Linode has taken the necessary steps to keep our customers and their information safe from potential attacks.
Am I Vulnerable?
Since Heartbleed has been in the wild for over a year, servers could have been compromised for some time. This vulnerability exposes a system to attackers who may extract information without leaving a trace of malicious activity.
A tool has been published that allows administrators to test the vulnerability of their system. If your site has an SSL certificate, go to the Heartbleed test page, enter your website URL, and run the vulnerability test. The source of this tool can be found on GitHub. Please note a passing score does not mean your system isn’t vulnerable in another way. Software that was compiled against the old library will need to be recompiled.
Is Linode Vulnerable?
As soon as this vulnerability was disclosed, our security team completed upgrades on all our infrastructure to patch the bug. Due to the nature of the issue, we’re in the process of completing a full audit of our systems and regenerating affected certificates.
Protecting Your System
We’re encouraging all Linode customers to run software updates and recompile software compiled against vulnerable libraries. At this time, all of our package mirrors have been updated with packages that contain fixes for this issue. If you’d like to know more about patching your system and reissuing SSL certificates, please view our guide in the Linode Library.
On the VMs, I assume that it is “impossible” for vulnerable tenant to affect his/her neighbor who is patched.
The question is _WAS_ linode infra vulnerable? Is there the chance that passwords have been stolen?
If you were using an older version of openssl (CentOS 5 or even CentOS 6.4 or older) then you were never vulnerable.
What linode servers were vulnerable, and over what time period?
Seems that all of your packages have not been updated, just specific packages for specific releases. If you’re not running one of those specific releases, you either have to upgrade your entire distribution or keep running vulnerable software.
@camper67 That is correct. In fact, this vulnerability cannot even leak data from other processes on the same machine.
Stephen, of course it was. Most of the internet was/is. It was introduced about 2 years ago, so potentially for that duration of time.
Theoretically for most of the internet, including Linode, it is possible some sensitive information was leaked however since the exploit/PoC was only released yesterday (and immediately patched) I think the chance of that is very small.
Can I assume we’ll see an update when the new certificates are deployed and the audit is complete? There’s no point changing passwords until then.
Everything is good. You can check the site referenced in the blog post against the Linode URLs and we pass:
I don’t think you’ve answered J Irving’s question. Tests like filippo.io/Heartbleed can tell us whether a vulnerable OpenSSL implementation is present at the time of the test.
However, according to my understanding, the test can’t tell us whether the private key and certificate being used were issued *after* all services were updated to a non-vulnerable version.
For that, we need an explicit statement from Linode.
Anyone that continues to see use the same passwords after this terrible event that took years for the hosting community to find out. Is not thinking straight. If you have ever your credit card into an Open SSL encrypted gateway for typed in anything on what he felt was historically safe. you were wrong.
Change your passwords ASAP
Matthew: The private key and certificate being used were created after all services were updated to non-vulnerable versions, and the old certificates have been revoked.