OpenSSL Website Breached Via Hypervisor Management Interface Misconfiguration
The website of the OpenSSL project, which provides a widely-used SSL/TLS implementation, was breached on 29th December and defaced (OpenSSL.org announcement). This defacement only affected the website of the project, however. The OpenSSL project has since checked the cryptographic hashes of the OpenSSL source code and confirmed that the source code has not been modified or compromised in any way. A compromise of the source code could result in a backdoor or other vulnerability being introduced. This is an important point since the Debian release of OpenSSL in 2006 had a bug which weakened the random number generator (wikipedia). However, the most worrying development of this breach is the way that the website was compromised, which was through the virtualization infrastructure of their hosting provider IndIT Hosting.
Whilst there are many potential avenues of attack against a website, what makes this attack notable is that instead of attacking the website directly, they attacked the hosting infrastructure of the website itself. In this case, it was the Virtual Machine hosting infrastructure operated by the openssl.org hosting provider. VMWare, whose products were used to host the OpenSSL website issued the following statement:
“We have no reason to believe that the OpenSSL website defacement is a result of a security vulnerability in any VMware products and that the defacement is a result of an operational security error.”
Whilst it is reassuring that an explicit security vulnerability was not used in the breach, according to reports, the management interface of the hypervisor was exposed to the Internet and with a weak password (OpenSSL advisory). These kinds of security misconfigurations are old news. What is new, however, is that it is no longer sufficient for an Internet-facing service to concern itself solely with its own security configuration, it must also be aware of the security posture of all aspects of the hosting infrastructure. In the case of a cloud-based service, the attack surface increases to encompass the management systems used to deploy and administer the service. In many cases, this may be quite hard to do as a particular service may use multiple service providers. Organizations need to make themselves aware of the security posture of all third parties involved in the service delivery process to ensure that a weakness elsewhere does not result in a compromise of their own service.