Critical OpenSSL bug 'Heartbleed'
Posted by Michael Upton on 08 April 2014 03:58 PM
A serious vulnerability in the popular OpenSSL cryptographic software library has been revealed which could potentially allow an attacker to monitor information passed between a user and a web service, including the secret keys used for X.509 certificates, user names and passwords, emails and business critical documents and communication. An attacker can steal information without leaving a trace.
It is strongly recommended you check to see if you are running a vulnerable version of OpenSSL and follow instructions from your operating systems vendor for how to update / patch to fix this bug as soon as possible. Below are the affected and non-affected versions of OpenSSL.
To check which version you're running use the following commands via an SSH session. On a Red Hat Linux system such as CentOS and Fedora run the following command:
rpm -q openssl
On an Ubuntu Linux server run the following:
dpkg --list | grep openssl
Windows installs running the IIS web server are unnafected by this bug.
You can test your sites using the following tester page. If you receive a "broken pipe" error message, this is typically caused by the unaffected IIS web server.
How to update OpenSSL to patch the bug
If the version you have installed is vulnerable use the following commands to see if your Linux vendors repository has a fix available:
Red Hat / Fedora / CentOS systems - "yum update openssl"
Ubuntu -"apt-get update" followed by "apt-get upgrade"
CentOS 6 repositories carry the update already which has the assigned version number 1.0.1e-16.el6_5.7 Ubuntu repos still covered under Long Term Support (LTS) are also carrying the update to fix this vulnerability.
After the update has completed it's recommend you carry out the following steps. The first steps generates new SSH keys for your server. In theory an attacker could obtain private SSH key pair data via this vulnerability allowing unauthorised access to your server. After the OpenSSL update has completed stopping further information to be obtained via the Heartbleed bug, run the following command to generate new SSH keys.
Red Hat / Fedora / CentOS systems -"rm -rf /etc/ssh/ssh_host_*" followed by "service sshd restart" (without quotation marks).
Ubuntu - "rm -rf /etc/ssh/ssh_host_*" followed by "dpkg-reconfigure openssh-server" (without quotation marks).
Afterwards restart the web server service on your server. On Red Hat / Fedora / CentOS systems run "service httpd restart". On Ubuntu run "/etc/init.d/apache2 restart".
If you're unsure if you're server is vulnerable, or your Linux vendors repository isn't carrying an update for OpenSSL please open up a support ticket at https://support.idaq.com/ or send an email to firstname.lastname@example.org