Moodle in English: [URGENT] Heartbleed OpenSSL Vulnerability

Security and privacy

[URGENT] Heartbleed OpenSSL Vulnerability

This discussion has been locked because a year has elapsed since the last post. Please start a new discussion topic.

Hi all,

As you may or may not be already aware, a significant security vulnerability in OpenSSL has recently been found.

This vulnerability was discovered within the OpenSSL cryptographic software library, a global standard used by most web servers, and is not related to Moodle software.

This vulnerability allows exploitation of the heartbeat mechanism within TLS in order to read 64k of addressable server memory at one time, potentially allowing the leakage of sensitive information, including SSL private keys, usernames, passwords, and other details not normally accessible over encrypted SSL communication channels.

The vulnerability, introduced in December 2011, affects OpenSSL versions 1.0.1 through 1.0.1f, covering a significant portion of SSL websites across the world.

I can confirm that like many other sites, Moodle.org was vulnerable to this issue.

On Tuesday (8/4/14) all Moodle servers were patched for the vulnerability, and as the vulnerability does not leave any signs as to whether a system has been exploited, I have re-keyed and re-signed our SSL certificates to ensure that in the event our private key was leaked, our communications will not be compromised.

There is, however, one major concern remaining. As there is the potential to read all data including usernames and passwords, your moodle.org accounts may or may not have been compromised.

As a precautionary measure, I am advising all moodle.org users to change their passwords here, and on any site *confirmed* to have fixed this vulnerability.

You can confirm a site has been patched for the Heartbleed vulnerability by using this tool: http://filippo.io/Heartbleed/

It is important to ensure that the site is not vulnerable BEFORE you change your credentials, to ensure that your new credentials are not inadvertently exposed, defeating the purpose of changing them to begin with.

IMPORTANT for Moodle Administrators

If you are running Moodle over HTTPS, or any other daemons using SSL, I strongly advise that you update OpenSSL to the latest version, re-key and re-sign your SSL certificates, and restart the daemons (Apache, NginX, etc) using OpenSSL.

Moodle's MNET functionality uses OpenSSL to generate certificates and keys for identity and communication security of the single sign-on functionality. You should also update OpenSSL and re-key/re-sign your MNET certificates to ensure these communication mechanisms remain secure.

For more information on this vulnerability, check out http://heartbleed.com/

Kind Regards,

Matt

Moodle Systems Administrator

Average of ratings: Useful (8)

Permalink | Reply

Thanks Matt. Greatly appreciated!

Average of ratings: -

Permalink | Show parent | Reply

May you live in peace Matt!

Thanks heaps for this valuable post. I am a bit unclear. I would appreciate if you may please answer following concerns:

1) I am running a couple of Moodle websites which do not use HTTPS or SSL. Are these also affected by Heartbleed?

2) I am administering a website where we have SSL installed. Although we have updated OpenSSL, re-keyed and re-signed SSL certificate but do we need to ask all our users to change their passwords?

Thanks for your time and effort.

Warm regards,

Mahtab Hussain

Average of ratings: -

Permalink | Show parent | Reply

Hi Mahtab,

1) No - these sites are not affected (but equally they are arguably less secure than a site which is affected by heartbleed as there is no attempt to encrypt information vs. something a site which is encrypted but an attacker could gain information from)

2) It is recommended that after re-keying, new certificates, and patching the system, you should encourage users to reset any passwords that they may have. Technically the same can be said for any shared tokens (e.g. RSS, Web Services, etc).

Best wishes,

Andrew Nicols

Average of ratings: Useful (2)

Permalink | Show parent | Reply

May you live in peace Andrew and all others!

Thanks a heap Andrew & others for sharing your expert opinion. We shall follow the guidelines to assure security.

Warm regards,

Mahtab Hussain

Average of ratings: -

Permalink | Show parent | Reply

You can trust XKCD (AKA Randall Munroe) to put it in a way everyone can understand:

How the Heartbleed bug works

and...

Heartbleed

So, yes... everyone should change all their passwords after they have verified that the sysadmins have updated their OpenSSL, keys, and certificates on each site that they have accounts on.

Average of ratings: -

Permalink | Show parent | Reply

For Moodle administrators running MNet hosts, some additional steps may be needed.

The Heartbleed bug is in the heartbeat command of the TLS wire protocol (it's a ping-like command). MNet uses the OpenSSL libraries for some crypto functionality, but it does not use the TLS wire protocol itself. So Heartbleed does not affect MNet per se. On the other hand, a host that was affected by Heartbleed through using HTTPS would have been leaking all sorts of secrets that Apache knew. And Apache knows the secret MNet keys.

So, if you are using HTTPS and MNet together at one host, you should:

Delete the current MNet key at your Site administration ► Networking ► Settings screen
And also remove all the previously used MNet keys that Moodle stores for some time yet. Unfortunately there is no UI for that (as it was never expected that private keys could have leaked). So you need to do this by removing the keys dorectly from the database by running something like

DELETE FROM mdl_config_plugins WHERE plugin='mnet' AND name='openssl_history';

Please note, once the current key for you host is regenerated and the openssl_history record is removed, other peers in your MNet environment can't establish a connection to you site. You will have to manually set the new public key at all your peers (in other words, the normal procedure of new key exchange will not work).

Average of ratings: Useful (2)

Permalink | Show parent | Reply

Thanks David for working through the implications for MNET.

Average of ratings: -

Permalink | Show parent | Reply

Nothing is ever simple. From our IT manager today, because he had to say something . . .

There is a large amount of Heartbleed related SPAM now appearing which is asking/advising recipients to change their passwords for various internet services. (eg. Facebook). Whilst this may be good advice please do not click on any links received in emails of this nature as these often lead to other exploits and/or theft of credentials.

If you are wanting to change your password then instead of using the provided links please browse to the sites you use in the normal manner and change your passwords using the tools provided by those sites.

-Derek

Average of ratings: Useful (1)

Permalink | Show parent | Reply

I think Heartbleed presents a constructive opportunity for people to revise their password usage habits. It's still shocking, the number of people using weak passwords, e.g. "123456", "password", "opensesame", and birthdays, and/or using the same password across multiple accounts.

Again, I think XKCD nails it:

Password strength

Average of ratings: -

Permalink | Show parent | Reply