How SSL's bug is causing security to bleed
Again, the 3000's owners own a longer view

Heartbleed reminds us all of MPE/iX's age

The most wide-open hole in website security, Heartbleed, might have bypassed the web security tools of the HP 3000. Hewlett-Packard released WebWise/iX in the early 2000's. The software included SSL security that was up to date, back in that year. But Gavin Scott of the MPE and Linux K-12 app vendor QSS reminds us that the "security through antiquity" protection of MPE/iX is a blessing that's not in a disguise.

OldheartWebWise was just too late to the web game already being dominated by Windows at the time -- and even more so, by Linux. However, the software that's in near total obscurity doesn't use the breached OpenSSL 1.0.1 or 1.0.2 beta versions. Nevertheless, older software running a 3000 -- or even an emulated 3000 using CHARON -- presents its own challenges, once you start following the emergency repairs of Heartbleed, Scott says.

It does point out the risks of using a system like MPE/iX, whose software is mostly frozen in time and not receiving security fixes, as a front-line Internet (or even internal) server. Much better to front-end your 3000 information with a more current tier of web servers and the like. And that's actually what most people do anyway, I think.

Indeed, hardly any 3000s are used for external web services. And with the ready availability of low-cost Linux hosts, any intranets at 3000 sites are likely to be handled by that open-sourced OS. The list of compromised Linux distros is long, according to James Byrne of Harte & Lynne, who announced the news of Heartbleed first to the 3000 newsgroup. 

The versions of Linux now in use which are at risk, until each web administrator can supply the security patch, include

Debian Wheezy
Ubuntu 12.04.4 LTS1
CentOS 6.5
Fedora 18
OpenBSD 5.3
FreeBSD 10.0
NetBSD 5.0.2
OpenSUSE 12.2

The PA-RISC architecture of the HP 3000, emulated on CHARON HPA/3000, could also provide a 3000 manager with protection even if somehow an MPE/iX web server had been customized to use OpenSSL 1.0.1, Scott says.

I'm pretty certain that the vulnerable versions of OpenSSL have never been available on MPE/iX. However, it is possible that the much older OpenSSL versions which were ported for MPE/iX may have other SSL vulnerabilities. I haven't looked into it. Secure Apache or another web server dependent on OpenSSL would be the only likely place such a vulnerability could be exposed.

There's also a chance that MPE/iX, even with a vulnerable web server, might have different behavior -- as its PA-RISC architecture has the stack growing in the opposite direction from x86. As such, PA-RISC may do more effective hardware bounds checking in some cases. This checking could mitigate the issues or require MPE/iX-specific knowledge and effort on the part of an attacker in order to exploit vulnerabilities. All the out-of-the-box exploit tools may actually be very dependent on the architecture of the underlying target system.

Security through such obscurity has been a classic defense for the 3000 against the outside world of the web. But as Scott notes, it's a reminder of how old the 3000's web and network tools are -- simply because there's been little to nothing in the way of an update for things like WebWise Apache Server.

But there's still plenty to worry about, even if a migrated site has moved all of its operations away from the 3000. At the website The Register, a report from a white-hat hacker throws the scope of Heartbleed much wider than just web servers. It's hair-raising, because just about any client-side software -- yeah, that browser on any phone, or on any PC or Mac -- can have sensitive data swiped, too.

In a presentation given yesterday, Jake Williams – aka MalwareJake – noted that vulnerable OpenSSL implementations on the client side can be attacked using malicious servers to extract passwords and cryptographic keys.

Williams said the data-leaking bug “is much scarier” than the gotofail in Apple's crypto software, and his opinion is that it will have been known to black hats before its public discovery and disclosure.