Information about the OpenSSL Security Vulnerability CVE-2014-0160/Heartbleed

On April 7, 2014, the security flaw CVE-2014-0160 aka Heartbleed in the widespread OpenSSL library was disclosed. We would like to inform all users of KIT's IT infrastructure about possible consequences and courses of action.

Consequences

The vulnerability enables a remote attacker to read sensitive data from affected servers. In particular, this includes access data like passwords, but also the servers' secret keys. The servers' administrators have no way of detecting an attack. Any user of a vulnerable system must therefore consider her password to be compromised.

Thus, we recommend that all users who have accessed a vulnerable system change their passwords immediately. The details given below contain information on which KIT systems are affected. If in doubt, we recommend to err on the safe side and change the password. This can be done via the following URLs:

• employees, guests, and partners: https://intra.kit.edu/de/meine-daten/passwort/Seiten/default.aspx
• students: https://studium.kit.edu/meinebenutzerdaten/Seiten/passwort.aspx
• password resets by the ITB: http://www.scc.kit.edu/dienste/8677.php

[Updated 2014-04-14] Personal certificates from the KIT-CA are not affected when used to sign and encrypt/decrypt emails.

If you are running a service that is secure by OpenSSL, please continue reading and make sure that your service is not affected by this vulnerability.

Details on the State of KIT's IT Infrastructure

The SCC has started updating all affected systems to secure versions immediately after the disclosure of the vulnerability. The corresponding keys and certificates were replaced. At the same time, scanning of the KIT IT infrastructure for vulnerable systems has commenced. In order to produce a list of potentially vulnerable hosts to be scanned, a list of all server certificates issued by KIT's Certification Authority (KIT-CA) was compiled. If a vulnerability was detected, the certificate requestor was informed of this.

Regarding all SCC-operated services, at this time (April 11, 2014) the following statements can be issued:

• The vast majority of SCC-operated services have never been affected by this vulnerability. In particular, this is true for:
  • the web servers operated centrally by the SCC
  • the Exchange email infrastructure, including Outlook Web Access (OWA)
  • KIT's central inbound and outbound mail servers
  • generally speaking, most Windows-based services (for instance, Active Directory) as well as all Java-based services (for instance, the central Identity Management System)
• The following systems were temporarily vulnerable:
  • the Shibboleth Identity Provider (IdP), up to about noon of April 8
  • the RADIUS servers, up to the morning of April 9
  • the DNSVS web interface, up to the morning of April 9
  • the Juniper VPN system, up to the morning of April 10

The RADIUS servers are the core of the authentication of the WKIT, Eduroam, LTA, and some more network access services. At this time, it is unclear whether the vulnerability actually rendered the RADIUS servers exploitable.

For further technical details please refer to the following web sites:

• DFN-CERT Advisory
• EGI Advisory
• RUS-CERT Advisory
• http://heartbleed.com

Suggested Course of Action for System Administrators and ITBs

1. Check your systems for the vulnerability. KIT-CERT currently uses heartbleed-masstest.
2. Update all affected software, and restart all dependent services.
3. Generate new key pairs for all affected systems and request new certificates. Revoke the old certificates.
4. If the affected systems host local user accounts, have the users change their passwords.

If you have any further questions, do not hestitate to contact KIT-CERT.