Roughly 5 hours ago Mark Cox, Senior Director, Product Security at Red Hat and Founder/Core Team Member at The OpenSSL Group, commented on one of my earlier blog posts. In his comment, Mark pointed me to the updated version of the Openssl.org breach disclosure which now reads:
Website defacement: final details.
Last updated: 3rd January 2014
On Sun 29th December 2013 at around 1am GMT the home page of www.openssl.org was defaced. We restored the home page just after 3am GMT and started forensics, investigation, and recovery.
The OpenSSL server is a virtual server which shares a hypervisor with other customers of the same ISP. Our investigation found that the attack was made through insecure passwords at the hosting provider, leading to control of the hypervisor management console, which then was used to manipulate our virtual server.
The source repositories were audited and they were not affected.
Other than the modification to the index.html page no changes to the website were made. No vulnerability in the OS or OpenSSL applications was used to perform this defacement.
Steps have been taken to protect against this means of attack in future.
As I suspected, insecure passwords at the hosting provider were to blame and not some crazy 0day.
Summary: Better access control and clear breach details required.