COMPUTING AND TECHNOLOGY SERVICES

ALERTS AND ANNOUNCEMENTS

Computing Alerts and Announcements

Update: Banner registration issue resolved (posted 04/15/14 8:53AM)

The Banner issue that prevented students from registering for classes early this morning has been resolved. If you experienced this problem, please log out of Banner, log back in and then try again. If you encounter any errors when attempting to register, please report them to the Help Desk at chd@buffalostate.edu.

Note regarding registration restrictions: If you're unable to get into a class due to a restriction of some sort (e.g. major, class, prerequisite), you'll receive an error message (and a copy of the error will be sent to your student email account). To address the restriction, you'll need to forward a copy of this email to your advisor for review, or contact the instructor directly. If the instructor decides to grant the override, you'll need to go back into Banner and add the course.

Information related to the Heartbleed Internet security vulnerability (posted 04/11/14 9:00PM)

ABOUT HEARTBLEED

Heartbleed (CVE-2014-0160) is an OpenSSL bug that has been in place since March of 2012, but was revealed publicly only this week.  The vulnerability exploits a weakness in OpenSSL and allows unauthorized users to read the memory of systems protected by vulnerable versions of the OpenSSL software.  This issue should be considered extremely critical due to its impact, long exposure, ease of exploitation, the absence of application logs indicating an exploit attempt and the widespread availability of exploit code.  This vulnerability reveals 64KB of memory per request to a connected client or server.  An attacker can potentially keep reconnecting or can keep requesting an arbitrary number of 64KB chunks of memory content during an active TLS (Transport Layer Security) connection until they have achieved their objectives.

What is affected that Buffalo State hosts or manages?

The servers below were running a vulnerable version of OpenSSL, and have been patched and tested.  Note also that all Linux systems managed by Computing and Technology Services are protected by daily patches from the Oracle Unbreakable Linux Network.  

 

Machine

OpenSSL ver.

Patched and restarted

tested @ http://filippo.io/Heartbleed

eprint01.buffalostate.edu

1.0.1e-16

patched / restarted

tested OK

bsclib02.buffalostate.edu

1.0.1e-16

patched / restarted

tested OK

libdev.buffalostate.edu

1.0.1e-16

patched / restarted

tested OK

webcts01.buffalostate.edu

1.0.1e-16

patched / restarted

tested OK

sareports.buffalostate.edu

1.0.1e-16

patched / restarted

tested OK


What is affected that SUNY ITEC hosts or manages?

All hosted systems at ITEC are protected by ITEC’s Dell SecureWorks iSensor IDS/IPS.  The IDS/IPS contains a signature for Heatbleed attacks called 50174 VID59478 OpenSSL TLS/DTLS Large Heartbeat Response.

RECOMMENDED ACTIONS

 

For users:

It is good practice to change your Web account passwords frequently, and this vulnerability just serves to emphasize this.   Although some media outlets would suggest that you wait until Web companies are have patched/upgraded their servers before changing your password, the fix was made available on Monday (4/7), so it is likely that most of them will have done this by now.  Change your passwords now (including your Buffalo State network password) and make it a habit to change passwords often.

For server administrators (or anyone running a Linux Web server):

This vulnerability is resolved in OpenSSL version 1.0.1g.  According to the OpenSSL advisory, version 1.0.2 will be fixed via 1.0.2-beta2.  An immediate upgrade is recommended.

Products that use OpenSSL libraries, such as SSL termination devices, load balancers, secure web gateways , web application firewalls, and other embedded devices, may also be vulnerable.  Clients should coordinate vulnerability status and mitigation steps with appropriate vendors. 

After patching the vulnerability, revoke any primary key material (e.g., X.509 certificates and private keys) used by a vulnerable TLS service, and issue and distribute new keys.  In addition, consider potential compromise of secondary key material, such as usernames and passwords exchanged with a vulnerable TLS endpoint.  Reset secondary key material such as passwords and encryption keys, and invalidate and reset any exposed session keys and session cookies.

What versions of the OpenSSL are affected?

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

LINKS

http://heartbleed.com/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

http://sseguranca.blogspot.com/2014/04/heartbleed-ssl-bug.html

http://filippo.io/Heartbleed <-- Test to see if a Web server is vulnerable to Heartbleed

 

Click here to read previously posted Alerts and Announcements