A week-plus of bleeds, but MPE's hearty
April 21, 2014
There are not many aspects of MPE that seem to best the offerings from open source environments. For anyone who's been tracking the OpenSSL hacker-door Heartbleed, though, the news is good on 3000 vulnerability. It's better than more modern platforms, in part because it's more mature. If you're moving away from mature and into migrating to open source computing, then listen up.
Open source savant Brian Edminster of Applied Technologies told us why MPE is in better shape.
I know that it's been covered other places, but don't know if it's been explicitly stated anywhere in MPE-Land: The Heartbleed issue is due to the 'heartbeat' feature, which was added to OpenSSL after any known builds for MPE/iX.
That's a short way of saying: So far, all the versions of OpenSSL for MPE/iX are too old to be affected by the Heartbleed vulnerability. Seems that sometimes, it can be good to not be on the bleeding edge.
However, the 3000 IT manager -- a person who usually has a couple of decades of computing experience -- may be in charge of the more-vulnerable web servers. Linux is used a lot for this kind of thing. Jeff Kell, whose on-the-Web servers deliver news of 3000s via the 3000-L mailing list, outlined repairs needed and advice from his 30-plus years of networking -- in MPE and all other environments.
Unless you've had your head in the sand, you've heard about Heartbleed. Every freaking security vendor is milking it for all it's worth. It is pretty nasty, but it's essentially "read-only" without some careful follow-up.
Most have focused on SSL/HTTPS over 443, but other services are exposed (SMTP services on 25, 465, 867; LDAP on 636; others). You can scan and it might show up the obvious ones, but local services may have been compiled against "static" SSL libraries, and be vulnerable as well.
We've cleaned up most of ours (we think, still scanning); but that just covers the server side.
There are also client-side compromises possible.
And this stuff isn't theoretical, it's been proven third-party...
Lots of folks say replace your certificates, change your passwords, etc. I'd wait until the services you're changing are verified secure.
Most of the IDS/IPS/detections of the exploits are broken in various ways. STARTTLS works by negotiating a connection, establishing keys, and bouncing to an encrypted transport. IDS/IPS can't pick up heartbleed encrypted. They're after the easy pre-authenticated handshake.
It's a mess for sure. But it’s not yet safe to necessarily declare anything safe just yet.
Stay tuned, and avoid the advertising noise.