Ir al contenido principal
BlogPanorama de la nubeVulnerabilidad Heartbleed OpenSSL

Vulnerabilidad Heartbleed de OpenSSL

El 7 de abril de 2014 se publicó una vulnerabilidad(CVE-2014-0160, también conocida como "Heartbleed") que podría permitir a los atacantes ver información sensible en la memoria de un servidor, como claves secretas y contraseñas. Dada la gravedad de este problema, Linode ha tomado las medidas necesarias para mantener a nuestros clientes y su información a salvo de posibles ataques.

¿Soy vulnerable?
Dado que Heartbleed lleva más de un año en el mercado, los servidores podrían estar comprometidos desde hace tiempo. Esta vulnerabilidad expone un sistema a atacantes que pueden extraer información sin dejar rastro de actividad maliciosa.

Se ha publicado una herramienta que permite a los administradores probar la vulnerabilidad de su sistema. Si su sitio tiene un certificado SSL, vaya a la página Página de prueba de Heartbleed, introduzca la URL de su sitio web y ejecute la prueba de vulnerabilidad. La fuente de esta herramienta se encuentra en GitHub. Tenga en cuenta que un resultado positivo no significa que su sistema no sea vulnerable de otra manera. El software que se compiló con la antigua biblioteca tendrá que ser recompilado.

¿Es Linode vulnerable?
Tan pronto como se reveló esta vulnerabilidad, nuestro equipo de seguridad completó las actualizaciones en toda nuestra infraestructura para parchear el fallo. Debido a la naturaleza del problema, estamos completando una auditoría completa de nuestros sistemas y regenerando los certificados afectados.

Cómo proteger su sistema
Animamos a todos los clientes de Linode a ejecutar las actualizaciones de software y a recompilar el software compilado con las bibliotecas vulnerables. En este momento, todas nuestras réplicas de paquetes se han actualizado con paquetes que contienen correcciones para este problema. Si quiere saber más sobre cómo parchear su sistema y reemitir certificados SSL, consulte nuestra guía en la biblioteca Linode .

 


Comentarios (10)

  1. Author Photo

    On the VMs, I assume that it is “impossible” for vulnerable tenant to affect his/her neighbor who is patched.

  2. Author Photo

    The question is _WAS_ linode infra vulnerable? Is there the chance that passwords have been stolen?

    If you were using an older version of openssl (CentOS 5 or even CentOS 6.4 or older) then you were never vulnerable.

    What linode servers were vulnerable, and over what time period?

  3. Author Photo

    Seems that all of your packages have not been updated, just specific packages for specific releases. If you’re not running one of those specific releases, you either have to upgrade your entire distribution or keep running vulnerable software.

  4. Author Photo

    @camper67 That is correct. In fact, this vulnerability cannot even leak data from other processes on the same machine.

  5. Author Photo

    Stephen, of course it was. Most of the internet was/is. It was introduced about 2 years ago, so potentially for that duration of time.

    Theoretically for most of the internet, including Linode, it is possible some sensitive information was leaked however since the exploit/PoC was only released yesterday (and immediately patched) I think the chance of that is very small.

  6. Author Photo

    Hey guys

    Can I assume we’ll see an update when the new certificates are deployed and the audit is complete? There’s no point changing passwords until then.

    cheers.

  7. Author Photo
    Ricardo N Feliciano

    J Irving,

    Everything is good. You can check the site referenced in the blog post against the Linode URLs and we pass:

    http://filippo.io/Heartbleed/#manager.linode.com
    http://filippo.io/Heartbleed/#blog.linode.com
    http://filippo.io/Heartbleed/#www.linode.com

  8. Author Photo

    Ricardo,

    I don’t think you’ve answered J Irving’s question. Tests like filippo.io/Heartbleed can tell us whether a vulnerable OpenSSL implementation is present at the time of the test.

    However, according to my understanding, the test can’t tell us whether the private key and certificate being used were issued *after* all services were updated to a non-vulnerable version.

    For that, we need an explicit statement from Linode.

    Cheers,
    Matthew

  9. Author Photo

    Anyone that continues to see use the same passwords after this terrible event that took years for the hosting community to find out. Is not thinking straight. If you have ever your credit card into an Open SSL encrypted gateway for typed in anything on what he felt was historically safe. you were wrong.

    Change your passwords ASAP

  10. Author Photo

    Matthew: The private key and certificate being used were created after all services were updated to non-vulnerable versions, and the old certificates have been revoked.

Dejar una respuesta

Su dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *.