wlanboy
Content Contributer
First off the final details:
Last updated: 3rd January 2014
On Sun 29th December 2013 at around 1am GMT the home page of
www.openssl.org was defaced. We restored the home page just after 3am
GMT and started forensics, investigation, and recovery.
The OpenSSL server is a virtual server which shares a hypervisor with
other customers of the same ISP. Our investigation found that the
attack was made through insecure passwords at the hosting provider,
leading to control of the hypervisor management console, which then
was used to manipulate our virtual server.
The source repositories were audited and they were not affected.
Other than the modification to the index.html page no changes to the
website were made. No vulnerability in the OS or OpenSSL applications
was used to perform this defacement.
Steps have been taken to protect against this means of attack in
future.
And of course the response of VMWare:
VMware is aware of suggestions that the recent defacement of the
OpenSSL Foundation website may be as a result of a hypervisor compromise.
The VMware Security Response Center has actively investigated this incident
with both the OpenSSL Foundation and their Hosting Provider in order to
understand whether VMware products are implicated and whether VMware
needs to take any action to ensure customer safety.
We have no reason to believe that the OpenSSL website defacement is a result
of a security vulnerability in any VMware products and that the defacement
is a result of an operational security error.
VMware recommends the use of vCloud Director in deployment scenarios
that require secure Internet facing access to Virtual Center and ESXi.
In the event that Virtual Center is directly Internet facing VMware
recommends customers remain current with patches and updates and that
they follow the best practices in the vSphere Security Hardening guides
https://www.vmware.com/support/support-resources/hardening-guides.html.
So at least no access to the source files.
"Just" a defacement.
But a reminder to all OpenVZ customers.
You are only as save as your hoster is.
Last updated: 3rd January 2014
On Sun 29th December 2013 at around 1am GMT the home page of
www.openssl.org was defaced. We restored the home page just after 3am
GMT and started forensics, investigation, and recovery.
The OpenSSL server is a virtual server which shares a hypervisor with
other customers of the same ISP. Our investigation found that the
attack was made through insecure passwords at the hosting provider,
leading to control of the hypervisor management console, which then
was used to manipulate our virtual server.
The source repositories were audited and they were not affected.
Other than the modification to the index.html page no changes to the
website were made. No vulnerability in the OS or OpenSSL applications
was used to perform this defacement.
Steps have been taken to protect against this means of attack in
future.
And of course the response of VMWare:
VMware is aware of suggestions that the recent defacement of the
OpenSSL Foundation website may be as a result of a hypervisor compromise.
The VMware Security Response Center has actively investigated this incident
with both the OpenSSL Foundation and their Hosting Provider in order to
understand whether VMware products are implicated and whether VMware
needs to take any action to ensure customer safety.
We have no reason to believe that the OpenSSL website defacement is a result
of a security vulnerability in any VMware products and that the defacement
is a result of an operational security error.
VMware recommends the use of vCloud Director in deployment scenarios
that require secure Internet facing access to Virtual Center and ESXi.
In the event that Virtual Center is directly Internet facing VMware
recommends customers remain current with patches and updates and that
they follow the best practices in the vSphere Security Hardening guides
https://www.vmware.com/support/support-resources/hardening-guides.html.
So at least no access to the source files.
"Just" a defacement.
But a reminder to all OpenVZ customers.
You are only as save as your hoster is.
