OpenSSL vulnerability - The Heartbleed Bug

Please refer to the official Heartbleed information website: http://heartbleed.com/

heartbleed.png

The Heartbleed Bug is a very serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. Source (1)

What versions of OpenSSL are affected?

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.
Note: Redhat/CentOS released a patched version that is still showing as "openssl-1.0.1e-16.el6_5.7"

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

Checking if you are vulnerable

Check the version of OpenSSL on the server:

1) Connect to the server via command line:

*) On CentOS/Redhat:

rpm -qa openssl* 

 

**) On Ubuntu/Debian:

dpkg -l | grep openssl
(Make sure the version installed matches the ones that are reported here: http://www.ubuntu.com/usn/usn-2165-1/ )

 

2) Using online tools:

http://filippo.io/Heartbleed/

 

Resolution:

1- Upgrade the OpenSSL in the server to the latest version (1.0.1g or +)

  • CentOS:
    • yum -y update openssl
  • Ubuntu:
    • sudo apt-get update; sudo apt-get install openssl

2- Identify the services that use openssl (HTTP, SMTP, etc.):

  • CentOS:
    • lsof -n | grep ssl | awk '{print $1}' | sort | uniq
  • Ubuntu:
    • lsof -n | grep ssl | awk '{print $1}' | sort | uniq

3- Restart those services. This step is extremely important since simply upgrading libraries does affect services currently running.

4- Recheck to see that no services are vulnerable:

  • CentOS:
    • rpm -qa openssl*
  • Ubuntu:
    • dpkg -l | grep openssl

5- As a precaution, we also advise to do the following:

  • Regenerate your SSL private key
  • Request and replace the SSL certificate

CentOS/Redhat Packages:

CentOS 6 64bit:
http://centos.mirror.iweb.ca/6/updates/x86_64/Packages/openssl-1.0.1e-16.el6_5.7.x86_64.rpm

CentOS 6 32bit:
http://centos.mirror.iweb.ca/6/updates/i386/Packages/openssl-1.0.1e-16.el6_5.7.i686.rpm

Ubuntu Packages:

Ubuntu 13.10

64 bit:
http://ubuntu.mirror.iweb.ca/ubuntu/pool/main/o/openssl/openssl_1.0.1e-3ubuntu1.2_amd64.deb

32 bit:
http://ubuntu.mirror.iweb.ca/ubuntu/pool/main/o/openssl/openssl_1.0.1e-3ubuntu1.2_i386.deb

Ubuntu 12.10

64 bit:
http://ubuntu.mirror.iweb.ca/ubuntu/pool/main/o/openssl/openssl_1.0.1c-3ubuntu2.7_amd64.deb

32 bit:
http://ubuntu.mirror.iweb.ca/ubuntu/pool/main/o/openssl/openssl_1.0.1c-3ubuntu2.7_i386.deb

Ubuntu 12.04 LTS

64 bit:
http://ubuntu.mirror.iweb.ca/ubuntu/pool/main/o/openssl/openssl_1.0.1-4ubuntu5.12_amd64.deb

32 bit:
http://ubuntu.mirror.iweb.ca/ubuntu/pool/main/o/openssl/openssl_1.0.1-4ubuntu5.12_i386.deb

External references:

  1. http://heartbleed.com/
  2. https://www.openssl.org/source/

  3. https://www.openssl.org/news/secadv_20140407.txt
  4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
  5. http://www.madboa.com/geek/openssl/
  6. http://bestinlinux.com/upgrade-openssl-latest-version-cpanel/
  7. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
  8. http://ipsec.pl/ssl-tls/2014/why-heartbleed-dangerous-exploiting-cve-2014-0160.html
  9. RedHat: https://rhn.redhat.com/errata/RHSA-2014-0376.html
  10. Ubuntu: http://www.ubuntu.com/usn/usn-2165-1/
  11. Parallels Plesk: http://kb.parallels.com/en/120990/?show_at=en
  12. Parallels Virtuozzo: http://kb.parallels.com/en/120989/?show_at=en
  13. cPanel/WHM: https://cpanel.net/heartbleed-vulnerability-information/
  14. http://www.vmware.com/security/advisories/VMSA-2014-0004.html
  15. https://ssl-tools.net/mailservers

**Be sure to change users' passwords. 

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk