Patch against the heartbleed OpenSSL bug (CVE-2014-0160)

Mattias Geniar, Tuesday, April 8, 2014

A very unfortunate and dangerous bug has been discovered in OpenSSL that allows an attacker to read otherwise sensitive information hidden by the encryption of OpenSSL. In some cases, it allows an attacker to retrieve the private key of certificates. The vulnerability is known as CVE-2014-0160

The bug has been fully disclosed on the site heartbleed.com. Unfortunately, someone went through a lot of trouble getting massive publicity for this bug/vulnerability but did not notify the OpenSSL project first. So the vulnerability is now public, but the software may not already be patched.

How do you protect yourself? Update OpenSSL!

Most distros already have a patched version of OpenSSL included. In the case of CentOS, a workaround has been created by removing the vulnerable pieces of code from OpenSSL. A full patch is expected in the next few days.

Red Hat / CentOS / fedora

$ yum update openssl

Debian / Ubuntu

$ apt-get update
$ apt-get install openssl

Restart services that rely on OpenSSL

You can find all the services on your system by running the following command as root. It lists all services that rely on libssl.

$ lsof | grep libssl | awk '{print $1}' | sort | uniq

After the update of OpenSSL, every one of those services needs to be restarted.

Consider re-issuing your certificates

Since this vulnerability allowed an attacker to possibly get your private keys (without leaving a trace in your logs), you should consider replacing all your certificates. This of course comes down to money; a re-issue will cost you some $$.

If you're not running a high-profile website over SSL, I would assume you're probably safe. If you're dealing with millions of dollars in transactions every day and SSL is one of the ways to protect your clients, then yes -- consider issuing all new certificates and consider the current private keys as compromised.

How do you know if you're vulnerable?

There are a few tools to help you test if you're vulnerable. For now (April 8th, 2014), it's safe to assume that if you're running SSH, SSL certificates, or anything else involved with encryption, you're vulnerable until you update your OpenSSL version.

You can use the tools below to test if you are actually vulnerable.

  1. Heartbleed Test: a website that allows you enter any (publicly available) URL and test for the exploit (alternative site is possible.lv/tools/hb).
  2. Heartbleeder: a script written in Go to test the vulnerability.
  3. ssltest.py: a python script to test this vulnerability. (github mirror here)

I'd be happy to hear for other alternatives to protect yourself.



Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear!. Follow me on Twitter as @mattiasgeniar.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Comments

Mr.X Tuesday, April 8, 2014 at 21:45 - Reply

ran the commands above on a fresh xubuntu image
however the version is still OpenSSL 1.0.1 14 Mar 2012


Leave a Reply

Your email address will not be published. Required fields are marked *

Inbound links