Tags

, , , ,

openssl-vulnerability

On Monday, April 7th, 2014, a serious bug in OpenSSL was discovered that helps attackers to browse memory info from servers installed with OpenSSL. As almost 80% of the servers including (google, yahoo and facebook datacenter servers) run with OpenSSL, it’s became a headache of the server administrators to fix up the vulnerability by implementing security patches and to diligently patch the exploit on the affected systems.

What is Heartbleed Bug?

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL server library. This loophole allows hackers in stealing the protected information easily, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications like web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone (mostly hackers) to read the memory of the systems protected by the vulnerable versions of the OpenSSL application library. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to directly steal data from the services and users and to impersonate services and users.

How do I know if I am vulnerable?

OpenSSL versions 1.0.1 through 1.0.1f are vulnerable to attack. If you are currently running one of these versions of OpenSSL, you are vulnerable. We have, however, already patched our servers to ensure your security.

The easiest way to check your server’s vulnerability is, by checking here: http://filippo.io/Heartbleed

How to stop the leak?

Follow the steps below to Fix and update OpenSSL in CentOS:

Step 1: Check to see what your current OpenSSL version is:

openssl version -a

Result
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Wed Jan 8 18:40:59 UTC 2014
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines: dynamic

Pay attention to the built on: line. Versions built before April 7th 2014 are vulnerable.

Step 2: To update OpenSSL from the repositories, run:

yum -y install openssl

Step 3: After updating, run openssl version -a again to confirm the newer build:

openssl version -a

Result
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Tue Apr 8 02:39:29 UTC 201

Step 4: Be sure to manually restart any services that use OpenSSL.

Step 5: If your website is using any licensed SSL certificate (Geotrust, Rapidssl, Comodo etc.), make sure to ask your service provider to re-generate another key for you and integrate the new key into your server. This will protect your server from future vulnerabilities.

Have a Secured Server 🙂

Advertisements