Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Important: Openssl Vulnerability May Exploit Your Store's Ssl Rate Topic   * * * * * 1 votes

 
  • jjtrottier
  • Junior Member
  • Members
  • Join Date: 25-Jan 11
  • 128 posts

Posted 08 April 2014 - 06:31 AM #1

On Monday, April 7th, a major vulnerability in OpenSSL was discovered. The severity of this exploit could expose your customer(s) credit card information, as well as usernames and passwords.

For anyone hosting their own server with payment processing directly on their site, it is important that you update OpenSSL on your server. Furthermore, you should regenerate your SSL certificates ASAP.

For more information on this vulnerability:
http://heartbleed.com/

To find out if your server is vulnerable, visit:
http://filippo.io/Heartbleed

This exploit was only announced yesterday but was been present in the OpenSSL codebase for over 2 years. If you are found vulnerable, the only way to close this hole with absolute certainty is to patch and regenerate your SSL certificates.

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11306 posts

Posted 08 April 2014 - 06:48 AM #2

Applies only to self-signed certificates, correct?

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • jjtrottier
  • Junior Member
  • Members
  • Join Date: 25-Jan 11
  • 128 posts

Posted 08 April 2014 - 07:03 AM #3

Applies only to self-signed certificates, correct?


I don't recall reading that anywhere. I've tested a few sites running CS-Cart from this forum and there are definitely some affected.

taken from PC World:

The vulnerable versions of OpenSSL are 1.0.1 through 1.0.1f with two exceptions: OpenSSL 1.0.0 branch and 0.9.8, according to a special website set up by researchers who found the problem.

If exploited, the flaw could allow attackers to monitor all information passed between a user and a Web service or even decrypt past traffic they’ve collected.

“This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users,” the researchers wrote.

The bug was discovered by three researchers from Codenomicon, a computer security company, and Neel Mehta, who works on security for Google.

The scope of the problem is vast, as many modern operating systems are suspected as having an affected OpenSSL version.

Operating systems that may have a vulnerable version of OpenSSL include Debian Wheezy, Ubuntu 12.04.4 LTS, CentOS 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2, they wrote.

 
  • hglu
  • Advanced Member
  • Members
  • Join Date: 31-Oct 13
  • 113 posts

Posted 10 April 2014 - 12:56 PM #4

You can check your site here.
https://lastpass.com/heartbleed/

 
  • clips
  • Aged Resident Loon
  • Members
  • Join Date: 14-Jan 07
  • 1650 posts

Posted 10 April 2014 - 02:38 PM #5

Went to the lastpass and it says we need to respond.

According to Future Hosting (our host), here is what they posted:
"As this vulnerability has existed for a long time and it is not possible to know whether it has been exploited, you should use your control panel or OpenSSL tools to generate a new private key and certificate request for each certificate you have on your server. Then, use the "re-key" feature at your SSL certificate provider to generate a new certificate based on the new CSR file. If your SSL
private key was able to be downloaded through the exploit, someone on the Internet might be able to view encrypted data when it is transmitted to or from your server or fool users into using a fake web site with your actual SSL certificate on it. You should not publish a new certificate until_ after_ you have applied the fix for your system."

I am waiting to hear back from them, but from what I can see it does look like it affects more than self-signed certs. Can anyone else confirm this?
Regards,
Jim

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11306 posts

Posted 10 April 2014 - 07:06 PM #6

Run the test on your site and it should tell you whether your site is vulnerable or not.
That being said, you should re-generate any private/public keys you might have in use for SSH or other encryption since those will be outside the 'https' protocol.

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • Fleety
  • Member
  • Members
  • Join Date: 03-Mar 09
  • 46 posts

Posted 11 April 2014 - 08:16 AM #7

Since it is only the 1.0.1 through 1.0.1f implimentations of Openssl that are affected, in addition to using the websites already listed, you can double check which version your server is using this way:

Your admin panel > Administration > Database > phpinfo > ctrl + f (cmd + f for OS X users) type: openssl > enter

Your servers installed Openssl version number should show on the second or third entry depending on the setup.

It would be helpful if the CS-Cart team sent an email to their client database (as other software vendors have) to alert everyone to the issue and explain how to check, and if affected what to do. Many people in shared hosting environments need only contact their webhost and demand them to take immediate action.

CS-Cart isn't obligated to do this, but in the interest of reducing the obvious privacy/security risks to all netizens it's a quick, easy and responsible step to take.

It seems the media has jumped on heartbleed, albeit in a sensational way. Hopefully all this focus on SSL will pave the way to better standards and help to educate average internet users on how important encryption is.

This forum isn't secured, that's why I've always worn my tin foil hat :)

Quick Edit: Here is a link to useful information: http://digital-foren...s-simulcast-etc

The second paragraph has a PDF (tested clean on virustotal) of a presentation by the security researcher "Malware Jack" that are clear, explicit and definitely worth reading by everyone here, especially people administering their own servers.

Edited by Fleety, 11 April 2014 - 08:57 AM.

Doing not dreaming
--------------------------

2.0.10
Genetically Altered Electro skin

 
  • NaMo
  • Senior Member
  • Members
  • Join Date: 26-Jan 14
  • 199 posts

Posted 12 April 2014 - 08:30 PM #8

Will it be affecting the current versions of cs-cart?

 
  • cscartrocks
  • Member
  • Members
  • Join Date: 24-Jan 11
  • 1716 posts

Posted 12 April 2014 - 08:40 PM #9

Will it be affecting the current versions of cs-cart?

It should be server related but not the script. You can check with your hosting to see if they have taken care of this problem.

One Step Checkout Addon - The ultimate checkout experience
Best CS-Cart SEO addon - CS-Cart SEO Ultimate Addon
PM for quality custom work/project


 
  • forfun
  • Junior Member
  • Members
  • Join Date: 22-Feb 11
  • 109 posts

Posted 13 April 2014 - 08:38 AM #10

You need to update your openssl package, actually.

For CentOS:
yum clean all
yum update openssl
service httpd restart

For Debian:
apt-get update
apt-get install openssl
/etc/init.d/apache2 restart
Hosted at DigitalOcean | 2.2.4 Pro Version & 4.1.3 | Айхор Хостинг

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11306 posts

Posted 14 April 2014 - 03:10 AM #11

The openssl package may or may not need to be updated. That's why the version should be checked.
If it is updated, then any email, ssh, or other passwords generated on the site should be recreated and changed.

Best thing is to contact your hosting provider and find out if your site was affected or vulnerable during any prior period.
If so, have them fix it (should already be done) and then change all your passwords for email, ssh, or anything else that uses a security certificate to gain access.

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.