OpenSSL vulnerability – The Heartbleed Bug

Description:

The Heartbleed Bug is a very serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. Source (1)

What versions of OpenSSL are affected?

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.
Note: Redhat/CentOS released a patched version that is still showing as “openssl-1.0.1e-16.el6_5.7”

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Checking if you are vulnerable
Check the version of OpenSSL on the server:

Connect to the server via command line:

– On CentOS/Redhat:

rpm -qa openssl*

– On Ubuntu/Debian:

dpkg -l | grep openssl

(Make sure the version installed matches the ones that are reported here: http://www.ubuntu.com/usn/usn-2165-1/ )

– Using online tools:
http://filippo.io/Heartbleed/

Please refer to the official Heartbleed information website: http://heartbleed.com/

Resolution:

1- Upgrade the OpenSSL in the server to the latest version (1.0.1g or +)
CentOS:

yum -y update openssl

Ubuntu:

sudo apt-get update; sudo apt-get install openssl

2- Identify the services that use openssl (HTTP, SMTP, etc.):
CentOS:

lsof -n | grep ssl | awk '{print $1}' | sort | uniq

Ubuntu:

lsof -n | grep ssl | awk '{print $1}' | sort | uniq

3- Restart those services. This step is extremely important since simply upgrading libraries does affect services currently running.

4- Recheck to see that no services are vulnerable:
CentOS:

rpm -qa openssl*

Ubuntu:

dpkg -l | grep openssl

5- As a precaution, we also advise to do the following:

Regenerate your SSL private key
Request and replace the SSL certificate

External references:

**Be sure to change users’ passwords.