Last updated: 
1 month 3 days ago
Group Manager
Project Moonshot is a Janet-led initiative, in partnership with the GÉANT project and others, to develop a single unifying technology for extending the benefits of federated identity to a broad range of non-Web services, including Cloud infrastructures, High Performance Computing & Grid infrastructures and other commonly deployed services including mail, file store, remote access and instant messaging. The goal of the technology is to enable the management of access to a broad range of services and applications, using a single technology and infrastructure. This is expected to significantly improve the delivery of these services by providing users with a common single sign-on, for both internal and external services. Service providers will be able to more easily offer their services to users from other organisations using a single common authentication mechanism. This will enhance the user’s experience, and reduce costs for those organisations supporting users, and delivering services to them. This group is for community of Moonshot users, whether you're new to the technology, you're currently evaluating and getting to grips with it, or you've deployed it. For the list of guidance available about Moonshot within this group, see the Start Here wiki page. Jisc Assent, the production service underpinned by the Moonshot technology, went live on 25th March 2015. For information on, or to join the Jisc Assent service, please visit http://www.jisc.ac.uk/assent

Error message

  • Notice: Undefined index: ja.netprod-jisc-memcache_storage_bin_indexes in MemcacheStorageAPI::getMultiple() (line 236 of /var/www/html/sites/all/modules/contrib/memcache_storage/memcache_storage.api.inc).
  • Notice: Undefined index: ja.netprod-jisc-cache_bootstrap_1-variables in MemcacheStorageAPI::getMultiple() (line 236 of /var/www/html/sites/all/modules/contrib/memcache_storage/memcache_storage.api.inc).

OpenSSL/Heartbleed and Moonshot

11 April 2014 at 1:52pm

You will no doubt have already received advisories about vulnerabilities in the 1.0.1-series of OpenSSL[1] affecting TLS enabled services via the heartbeat extension.

The advice for Moonshot is very similar to an advisory you may have received from eduroam[2].

While there are no indications that CVE-2014-0160[3] is being actively exploited via TLS-based EAP-mechanisms or RADIUS/TLS (aka RadSec) at this time, the software used by Moonshot *is* vulnerable to a "heartbleed" attack.

The eduroam operational team and the Moonshot developers are advising that all sites should upgrade affected versions of OpenSSL to versions implementing a fix for CVE-2014-0160 immediately, and restart all services using OpenSSL. While RADIUS has several mitigating factors that make it more difficult to exploit than HTTPS, the severity of this issue should not be understated.

It is also advisable to regenerate certificates on affected hosts - if you are using JCS certificates, Janet is currently providing replacement certificates for no cost[4].

Within Moonshot we use OpenSSL in the following components:

 1) We use OpenSSL inside our EAP supplicant.  We do not typically have private keys there, but we do have user passwords.

 2) We use OpenSSL inside libradsec.  There we may have private keys for client certificates; we typically do if RadSec is enabled.

 3) The SSP uses OpenSSL for libradsec but *not* the EAP supplicant.

 4) FreeRADIUS uses OpenSSL and they have released an advisory[5] recommending that all administrators upgrade OpenSSL immediately.

For Debian and CentOS, upgrading OpenSSL and restarting all affected services is sufficient.  For the Windows SSP, you will need a new release from Janet (which will be made available shortly).

Upgraded versions of the Moonshot Live DVD and RPMs will also be provided as soon as possible.

Progress and updates on this note will be published on the Moonshot Community site[6]; we also advise that you also read the material published on the Janet CSIRT blog[7].

 [1] http://heartbleed.com/

 [2] https://www.jiscmail.ac.uk/cgi-bin/webadmin?A2=ind1404&L=JANET-ROAMING&F=&S=&P=56

 [3] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

 [4] https://www.ja.net/about-janet/news/free-janet-certificates-those-affected-openssl-heartbleed-bug

 [5] http://freeradius.org/security.html

 [6] https://community.ja.net/groups/moonshot/article/opensslheartbleed-and-moonshot

 [7] https://community.ja.net/blogs/csirt/article/heartbleed-openssl-vulnerability-cve-2014-0160

If you have any questions regarding Moonshot and this issue, please post them to this list (moonshot-community@jiscmail.ac.uk). For enquiries regarding the Janet Certificate service, please contact the Janet Service Desk (service@ja.net). You can also Janet CSIRT (irt@csirt.ja.net) for any enquiries regarding the impact of this issue on other services.

Regards,

Adam Bishop

Systems Development Specialist

 gpg: 0x6609D460

   t: +44 (0)1235 822 245

xmpp: adamb@jabber.dev.ja.net

Janet, the UK's research and education network.