Heartbleed vulnerability and wireless/dorm network downtime
Published: 4-12-2014 11:05 am
As I'm sure all of you have noticed, a major security vulnerability
nicknamed "Heartbleed" was announced this week which impacted many secure
services on the web. We've spent most of our week in NATS identifying and
assessing potentially vulnerable systems, as well as communicating with
off-campus service providers regarding their vulnerabilities.
The good news is that we had very few vulnerable systems, so our exposure
has been relatively minimal. One system which was vulnerable, however, is the
login system for the Aruba wireless network which serves the dormitories and a
few other buildings on campus (alumni house, Benthack, Rice, Studio Arts, and
Carhart Science). We have found no evidence that the vulnerability was
exploited, but nonetheless we are taking precautions to ensure the security of
This will be a multi-stage process, the first stage of which will be to
upgrade the software. This will take between 3 and 5 hours, during which time
users will not be able to login to the wireless network in effected buildings.
While we normally try to have much more notice for outages, this is a
time-sensitive security measure and needs to be done as soon as possible. We
plan to start the upgrade process at 4AM tomorrow (Sunday) and hope to be done
by 9AM at the latest.
Stage two of the process will be to replace the server security certificate
with a new one. This will cause many of wireless devices to prompt you to
accept a new certificate (something you also had to do when you first configured
your device for the campus wireless network). Over the next few days we will be
preparing for this stage, readying the help desk for any calls and ensuring that
Sunday's upgrade is running properly. We will announce the time for stage two
early this coming week in another e-mail once we have those preparations
We will continue to monitor the situation ongoing, but let me stress once
again that we've seen no evidence at this point that security has actually been
compromised, just that we were vulnerable.
Thank you for your patience as we navigate through the situation.