User Tools

Site Tools


security:cve-announcements:heartbleed

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
security:cve-announcements:heartbleed [2014/05/05 13:02]
mikedep333 created
security:cve-announcements:heartbleed [2015/07/09 23:41] (current)
mikedep333 [Announcement]: Remove "will be posted to the x2go-announcements list"
Line 1: Line 1:
-====== X2Go Announcement on Heartbleed (CVE-2014-0160)====== +====== X2Go Announcement on Heartbleed (CVE-2014-0160) ====== 
-===== Announcement ​(will be posted to the x2go-announcement list) =====+===== Announcement =====
  
 The following is the X2Go project'​s announcement on heartbleed The following is the X2Go project'​s announcement on heartbleed
Line 6: Line 6:
 take. take.
  
-1. When X2Go (both X2Go Client and X2Go Server) ​are used without an+1. When X2Go (both X2Go Client and X2Go Server) ​is used without an
 X2Go Session Broker, X2Go is not vulnerable. X2Go Session Broker, X2Go is not vulnerable.
 +
 If you do use X2Go without a session broker, no action is required in If you do use X2Go without a session broker, no action is required in
 terms of X2Go. terms of X2Go.
 +
 We still strongly advise you to install your Linux distro'​s patch for OpenSSL. We still strongly advise you to install your Linux distro'​s patch for OpenSSL.
 +
 We also advise updating X2Go Client for Windows to 4.0.2.0, and X2Go We also advise updating X2Go Client for Windows to 4.0.2.0, and X2Go
 client for Mac OS X to 4.0.2.0, in order to avoid vulnerability client for Mac OS X to 4.0.2.0, in order to avoid vulnerability
Line 17: Line 20:
 2. When X2Go is used with an X2Go Session Broker, these X2Go 2. When X2Go is used with an X2Go Session Broker, these X2Go
 components are vulnerable if the following conditions are met: components are vulnerable if the following conditions are met:
 +
 a. X2Go Session Broker: If the Linux distro uses OpenSSL 1.0.1, the a. X2Go Session Broker: If the Linux distro uses OpenSSL 1.0.1, the
 Linux distro'​s CVE-2014-0160 patch is not installed, and HTTPS is Linux distro'​s CVE-2014-0160 patch is not installed, and HTTPS is
Line 23: Line 27:
 apache configuration. If you are using x2gobroker-daemon,​ it would be apache configuration. If you are using x2gobroker-daemon,​ it would be
 enabled in /​etc/​default/​x2gobroker-daemon .) enabled in /​etc/​default/​x2gobroker-daemon .)
 +
 b. X2Go Client for Linux: If the Linux distro uses OpenSSL 1.0.1, the b. X2Go Client for Linux: If the Linux distro uses OpenSSL 1.0.1, the
 Linux distro'​s CVE-2014-0160 patch is not installed, and HTTPS is used Linux distro'​s CVE-2014-0160 patch is not installed, and HTTPS is used
 to connect to an X2Go Session broker. to connect to an X2Go Session broker.
 +
 c. X2Go Client for Windows: If X2Go Client is at version c. X2Go Client for Windows: If X2Go Client is at version
 4.0.1.3+build2,​ and HTTPS is used to connect to the X2Go Session 4.0.1.3+build2,​ and HTTPS is used to connect to the X2Go Session
 Broker. Broker.
 +
 d. X2Go Client for Mac OS X: If X2Go Client is at version 4.0.1.3 or d. X2Go Client for Mac OS X: If X2Go Client is at version 4.0.1.3 or
 earlier, and HTTPS is used to connect to the X2Go Session Broker. earlier, and HTTPS is used to connect to the X2Go Session Broker.
 +
 e. PyHoca-GUI for Linux: If you are using a nightly build since e. PyHoca-GUI for Linux: If you are using a nightly build since
 2014-03-18 (when broker support was 1st added,), the Linux distro 2014-03-18 (when broker support was 1st added,), the Linux distro
 uses OpenSSL 1.0.1, the Linux distro'​s CVE-2014-0160 patch is not uses OpenSSL 1.0.1, the Linux distro'​s CVE-2014-0160 patch is not
 installed, HTTPS is used to connect to an X2Go Session broker. installed, HTTPS is used to connect to an X2Go Session broker.
 +
 f. PyHoca-CLI for Linux: If you are using a nightly build since f. PyHoca-CLI for Linux: If you are using a nightly build since
 2014-03-03 (when broker support was 1st added,) the Linux distro uses 2014-03-03 (when broker support was 1st added,) the Linux distro uses
Line 48: Line 57:
  
 X2Go Session Broker: X2Go Session Broker:
 +
 a. Install your Linux distro'​s patch for OpenSSL (CVE-2014-0160) if a. Install your Linux distro'​s patch for OpenSSL (CVE-2014-0160) if
 you haven'​t done so already. you haven'​t done so already.
 +
 b. Replace the SSL certificate used by X2Go Session Broker. Consult b. Replace the SSL certificate used by X2Go Session Broker. Consult
 your Linux distro'​s instructions on doing so. If you are using your Linux distro'​s instructions on doing so. If you are using
Line 57: Line 68:
 If you are using x2gobroker-daemon,​ the path to the SSL cert is If you are using x2gobroker-daemon,​ the path to the SSL cert is
 specified in /​etc/​default/​x2gobroker-daemon . specified in /​etc/​default/​x2gobroker-daemon .
 +
 c. Reset the passwords for any user accounts that have been used with c. Reset the passwords for any user accounts that have been used with
 an X2Go Session Broker before the patch was installed. an X2Go Session Broker before the patch was installed.
  
-X2Go Server (follow these instructions if X2Go session broker ​was vulnerable):​+d. Replace the SSH key used by X2Go Session Broker to communicate with X2Go Session Broker Agents: 
 +<code bash> 
 +sudo x2gobroker-keygen 
 +</​code>​ 
 +(To clarify, the SSH connection between an X2Go Session Broker and an X2Go Session Broker Agent (running on an X2Go Server) is not vulnerable. However the SSH private key used to communicate with agents is in the broker'​s memory. Therefore, the broker could leak the key to an X2Go Client that accesses the broker over HTTPS. In contrast, the SSH private key used to communicate with X2Go clients is not in the broker'​s memory, so it does not need to be replaced.)  
 + 
 +X2Go Server (follow these instructions if X2Go Session Broker ​was vulnerable):​ 
 a. Reset the passwords for any user accounts that have been used with a. Reset the passwords for any user accounts that have been used with
 an X2Go Session Broker before the patch was installed. an X2Go Session Broker before the patch was installed.
 +
 +b. If you have the X2Go Session Broker Agent installed, authorize the new X2Go Session Broker SSH key:
 +<code bash>
 +sudo x2gobroker-pubkeyauthorizer --broker-url http(s)://<​broker-server>:<​port>/<​basepatch>/​pubkeys/​
 +</​code>​
  
 X2Go Client: X2Go Client:
 +
 a. Patch X2Go Client, if you haven'​t already done so. a. Patch X2Go Client, if you haven'​t already done so.
 On Linux, install your Linux Distro'​s patch for OpenSSL (CVE-2014-0160). On Linux, install your Linux Distro'​s patch for OpenSSL (CVE-2014-0160).
Line 71: Line 96:
 http://​wiki.x2go.org/​doku.php/​doc:​release-notes-mswin:​x2goclient-4.0.2.0 http://​wiki.x2go.org/​doku.php/​doc:​release-notes-mswin:​x2goclient-4.0.2.0
 On Mac OS X: update X2Go Client to 4.0.2.0. On Mac OS X: update X2Go Client to 4.0.2.0.
 +
 b. Replace all SSH private key / public key pairs that are used by b. Replace all SSH private key / public key pairs that are used by
 X2Go Client to connect to an X2Go Session Broker, or to connect to an X2Go Client to connect to an X2Go Session Broker, or to connect to an
Line 81: Line 107:
  
 PyHoca-GUI & PyHoca-CLI PyHoca-GUI & PyHoca-CLI
 +
 a. Patch PyHoca-GUI/​PyHoca-CLI by installing your Linux Distro'​s patch a. Patch PyHoca-GUI/​PyHoca-CLI by installing your Linux Distro'​s patch
 for OpenSSL (CVE-2014-0160). for OpenSSL (CVE-2014-0160).
 +
 b. Replace all SSH private key / public key pairs that are used by b. Replace all SSH private key / public key pairs that are used by
 PyHoca-GUI/​PyHoca-CLI to connect to an X2Go Session Broker, or to PyHoca-GUI/​PyHoca-CLI to connect to an X2Go Session Broker, or to
Line 94: Line 122:
 Fore the full technical details on why the X2Go Project is making these Fore the full technical details on why the X2Go Project is making these
 recommendations,​ follow this link: recommendations,​ follow this link:
 +
 http://​wiki.x2go.org/​doku.php/​security:​cve-announcements:​heartbleed http://​wiki.x2go.org/​doku.php/​security:​cve-announcements:​heartbleed
  
Line 126: Line 155:
 5. The X2Go session broker and the X2Go Session Broker Agents (running 5. The X2Go session broker and the X2Go Session Broker Agents (running
 on the X2Go Servers) communicate with eachother via SSH connections on the X2Go Servers) communicate with eachother via SSH connections
-using the paramiko library for SSH. Therefore, the X2Go Session ​broker +using the paramiko library for SSH. Therefore, the X2Go Session ​Broker 
-agent is not affected, and X2Go Session broker is not affected in+Agent is not affected, and X2Go Session broker is not affected in
 terms of communicating with the X2Go Session Broker Agents (the X2Go terms of communicating with the X2Go Session Broker Agents (the X2Go
-Servers.)+Servers.) ​However, the SSH private key used by the X2Go Session Broker to communicate with with agents is in the X2Go Session Broker'​s memory. Therefore, based on the next piece of information,​ we are recommending that system administrators replace said key.
  
 6. The X2Go session broker can be accessed by an X2Go Client over 6. The X2Go session broker can be accessed by an X2Go Client over
security/cve-announcements/heartbleed.1399294957.txt.gz · Last modified: 2014/05/05 13:02 by mikedep333