Saturday, April 19, 2014

Security alert: Dmedia vulnerable to Heartbleed

Dmedia (and therefor Novacut) are affected by the Heartbleed bug in the OpenSSL library. This bug is very serious as it allows an attacker to capture the private keys Dmedia uses, which then allows an attacker to steal both your Dmedia library metadata and the files it contains.

Please see USN-2165-1 for details about the OpenSSL fix in Ubuntu.

What you need to do

To correct this problem, first make sure your packages are up-to-date:

sudo apt-get update
sudo apt-get dist-upgrade

Then you'll need to force Dmedia to generate new user and machine certificates:

rm ~/.local/share/dmedia/user-1.json
rm ~/.local/share/dmedia/machine-1.json
restart dmedia

You should do this on all your computers running Dmedia before peering them again.

The next time you open Dmedia or Novacut, you'll see this screen:

On your first computer, click New Account. On any additional computers, click Connect to Devices and then accept the peering offer on the first computer.

More details

It's easy for an attacker on the local network to use the Heartbleed bug to attack Dmedia on systems running a vulnerable version of OpenSSL. This includes when you're using, for example, a public WiFi network at a coffee shop. This is true even when you only have a single Dmedia device on a given network.

In practice it's probably very difficult for a remote attacker to exploit Heartbleed in Dmedia from across the Internet. Most home routers use NAT to prevent direct access to your computers from across Internet. Also, each time Dmedia starts, it runs on a different, random port. Dmedia uses Avahi to advertise this random port to other Dmedia devices on the local network. Dmedia does not advertise this random port to any outside servers. That said, remote attacks could sill be possible if, for example, your router was compromised.

As Dmedia is not yet widely used, it's probably not yet a common attack target. However, to play it safe, please follow the above procedure to generate new Dmedia SSL certificates.