The OpenSSL Project blames a weak password used at its hosting provider for its recent site defacement.
The organization that hosts the ubiquitous open source encryption implementation updated a notice on its website yesterday informing users that attackers used the weak credential to gain control of a hypervisor management console. The update says the OpenSSL server is a virtual server sharing a hypervisor with other customers at its service provider.
The attackers were able to get in on Dec. 29 and manipulate the organization’s virtual server, the notice said.
“Other than the modification to the index.html page, no changes to the website were made. No vulnerability in the OS or OpenSSL applications was used to perform this defacement,” the notice said, adding that the source repositories had been audited and were not accessed.
VMware yesterday denied reports that its software had been compromised as part of the OpenSSL defacement.
“We have no reason to believe that the OpenSSL website defacement is a result of a security vulnerability in any VMware products and that the defacement is a result of an operational security error,” the company said in a statement.
Hypervisors are software programs used to create and manage virtual machines; hosting providers can use them to manage multiple machines on a single host.
OpenSSL is more than a TLS or SSL implementation; it’s also a full cryptographic library that is at the core of numerous commercial software products that make use of encryption.
An attack on OpenSSL, where hackers would be able to access source code and inject backdoors or other malware, could have devastating consequences. Speculation has been high too that the NSA would covet a backdoor in OpenSSL given its presence in any number of high profile products and web applications; the list of FIPS Cryptographic Module Validation Program-certified products, for example, is lengthy and target rich featuring hundreds of security and networking products.
A Turkish hacking group claimed responsibility for the defacement. TurkGuvenligi took down the webpage and left behind the message: “TurkGuvenligiTurkSec Was Here @turkguvenligi + we love openssl _.”