vicidial.org

[mcargile]

A critical bug has been found in OpenSSL that allows an attacker to read just about anything out of RAM. Vicibox 5 is running an effected version of OpenSSL. A patch has already been released for it. It is highly recommended that all Vicibox 5 server have the system updates install. You can do so by doing the following on the Linux command line:

1) zypper refresh
2) zypper up
3) rcapache2 restart

Please note the rcapache2 restart can potentially knock your agents offline for a moment.


Here are links to more information about the hack:

http://cve.mitre.org/cgi-bin/cvename.cg ... -2014-0160
http://heartbleed.com/

Here is a website that allows you to test your servers for the bug:

http://filippo.io/Heartbleed/

Here is a link to the official OpenSuSE security announcement:

http://lists.opensuse.org/opensuse-secu ... 00005.html

Here is a link to the official OpenSuSE patch information:

http://lists.opensuse.org/opensuse-secu ... 00004.html



We also highly recommend that you check all of your non-Vicidial servers to see if they are effected as well. This is a major vulnerability effecting a large amount of equipment.

[williamconley]

Also note that if you believe there is a chance that this bug may have been exploited, now is a great time to change ALL passwords (root, mysql root, vicidial users, phone registrations, everything) and issue the command to generate a new self-signed security certificate. Many of the experts have noted that harvesting the data on affected machines can be completed without log entries of the attack and then the attacker can come back later and use the harvested data to access the server in question.

Generating a new cert:

Code: Select all

gensslcert -n sample.linuxsuperserver.com
service apache restart