As you may be aware, there was a recent 0-day exploit for a very popular cryptographic software library that is used for encryption called OpenSSL. The exploit in question was nicknamed "Heartbleed" and caused data in a server's memory to be exposed to an attacker, a grave security risk for any sites using OpenSSL for running their HTTPS websites. You can read more about this here: http://heartbleed.com/

The good news is that we have reviewed all of our systems and the only system that was vulnerable to this exploit was our cPanel01 server which we patched and re-issued new SSL certificates as soon as we received notice of this exploit via a software security newsletter. If you currently run a web server with HTTPS enabled or utilize OpenSSL in any manner, please take the appropriate steps to patch your OpenSSL installation and re-issue your SSL certificates to secure your systems.

The basic steps to patching your system are to update OpenSSL to the latest version (1.0.1 through 1.0.1f are vulnerable) and restart the affected services (a reboot of the VPS is recommended).
For CentOS/RedHat Based Distros: yum update
For Debian/Ubuntu Based Distros: apt-get update && apt-get upgrade
Then reboot your VPS to ensure that all services are now using the new OpenSSL libraries.
Consult your SSL issuer for instructions on how to re-issue new SSL certificates and revoke your old ones.

For clients who have services on our cPanel01 server, we have forced a password reset for all clients so the next time you log in to your cPanel account you will be prompted to change your password as a precaution.

Just to confirm the following systems were not vulnerable to the Heartbleed Bug:
  • Our main website (securedragon.net) - Running version 0.9.8
  • Our client area and Wyvern (my.securedragon.net) - Running version 0.9.8
  • Our SolusVM Master (master.securedragon.net) - Running version 0.9.8
This is yet another reminder of how important it is not to rely on passwords for security and not to use the same password on multiple websites. In the event that our web servers were vulnerable to this attack, clients who are using the Two-Factor Authentication would have been safe since the exploit would not have granted the attackers access to your 2nd factor token (i.e. phone). We highly recommend that users enable Two-Factor Authentication to increase security for the client area (and for those of you with an OpenVZ VPS with us, this also protects the Wyvern control panel so hackers cannot manage your VPS): https://my.securedragon.net/knowledgebase.php?action=displayarticle&id=161

If you have any additional concerns regarding this exploit, there are many websites out there dedicated to explaining the bug in detail along with answering general questions surrounding the bugs usage and prevention. We can answer questions specific to our services but our knowledge about the bug itself is limited to what we've found from the Heartbleed.com website mentioned above and the software security newsletter we received on April 8th.

Attempts were made to send this announcement to all active clients in our system but there was a delivery problem so not all clients received this e-mail. We are sending out a separate e-mail for cPanel clients to ensure they are aware of the situation.

-The Secure Dragon Staff

Saturday, April 12, 2014





« Back