Friday, April 11, 2014

How Heartbleed is Breaking Your Moodle Security and How to Fix It!

What is Heartbleed?

Discussion of the Heartbleed vulnerability has been burning up the Internet this past week, so I won’t go into great detail about its details. Good articles here and here.

The High Points of Heartbleed

  • A vulnerability in OpenSSL
  • Impacts Apache and Ngnx web servers
  • Present for over 2 years
  • Exploit leaves no trace in server logs
  • Allows theft of security certificates, user credentials, and other site data
  • Thought to impact between 15%-33% of web-servers worldwide

How to Know if You Are Impacted

Chromebleed Plugin for Chrome

Written by security researcher Jamie Hoyle, not only does this provide an easy way to check for Heartbleed it also provides you with protection against unknowingly logging into sites with the vulnerability.

Heartbleed Checking Website

If you are not a Chrome user, Filippo Valsorda has posted a Heartbleed checking website. Just click on the URL and enter the URL of your Moodle site to check if you have the vulnerability. “


What It Means for Moodle Admins

If you have the Heartbleed vulnerability what you can’t know is if its been exploited by an outside party. Here are the overall steps you need to take to deal with the situation:

  1. Patch your webserver to use the new OpenSSL 1.0.1g release or later
  2. Generate a new SSL key, install, and revoke old key via your Certificate Authority
  3. Confirm you are no longer vulnerable
  4. Reset your users passwords (only after 1-3)

Steps one through three are absolutely required to prevent future leakage of data from your site. This is especially important now that the vulnerability is widely known.

Step four is the subject of a lot of discussion because of the challenges of resetting so many user accounts and without knowing if user data has actually been compromised. The longer you wait to patch your site the more likely that bad actors are harvesting your site’s data. Ask yourself why did I install SSL in the first place? This will help answer how important it is to force a reset of passwords. Most major cloud providers are recommending to users that they reset their passwords.

Here are some reasons to consider in favor of resetting
  • You have proprietary or sensitive business information stored in your Moodle
  • Your courses involve discussions of private or controversial topics that users wouldn’t want known outside of their classmates
  • Your user profiles contain private information
  • Your Moodle site is tied to your enterprise authentication system (LDAP, MS Active Directory, etc)
  • You’re concerned about government(s) spying on your site, or the users of your site might be in danger if the local government becomes aware of their participation in your site
  • You want to help protect your users who probably are reusing the same passwords across multiple services

How To Force Your Moodle Users to Reset Passwords

Luckily Moodle provides a built-in function which will allow you to force all your users to reset their passwords. It’s called Bulk user actions and it allows an administrator to select a group of users and apply a change across all of them. Remember that you need to do steps 1-3 before resetting passwords will help you!

Login as an administrator to your Moodle site. Expand the Site Administration menu and select Users. Under Users you will find the Bulk User actions option. Users -> Bulk User actions. Click the “Select all users” button. From pull down labelled “With selected users…”   select the “Force password change” option and you're done! Users will be asked to reset their passwords on their next login.

bulk password reset.png