A new vulnerability (CVE-2014-0160) has been discovered in OpenSSL named ‘Heartbleed’ (vulnerabilities in TLS heartbeat extension ). OpenSSL is the core cryptographic library used to establish SSL/TLS connections. It allows arbitrary protocols to be communicated securely.
It enables clients to (a) verify that they are indeed communicating with the server they expect and not a man-in-the-middle and (b) encrypt the network traffic so that parties other than the client and server cannot see the communication.
#HEARTBLEED: The BAD & the UGLY
The latest vulnerability compromises the aforementioned security features provided by OpenSSL and allows a malicious client or server to read up to 64KB of memory from the remote machine, potentially compromising any secrets including the private keys of TLS certificates and previously transmitted or information transmitted in future if a captured packet dump is available for the same.
How to safeguard against #HEARTBLEED?
Fortunately not all versions of OpenSSL suffer from this vulnerability, if you are running a SSL enabled website, you need to check your OpenSSl version, which can be done by running :
$ OpenSSL version -a
The first line of the output will tell you the version of the OpenSSL that you are running.
The versions affected by the Heartbleed vulnerability are 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1.
For RH based distributions like CentOS 6 the above doesn’t apply please refer to this announcement :- http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html
If you are running a vulnerable version along with the heatbeat extension then you should to upgrade to the fixed version released by your linux distribution. On a remote chance that your OpenSSL installation does not have heartbeat extension installed then you are most likely not vulnerable currently but it is a good practice to update to latest version available on your Linux distribution anyway.
To check if you have heartbeat installed or not you can run the following command in your terminal
$ openssl s_client -connect example.com:443 -tlsextdebug 2&>1| grep ‘server extension “heartbeat” (id=15)’ || echo safe
In the above command replace ‘example.com’ with your own website. If the output of the command is
‘safe’ then you have nothing to worry about, if otherwise then you need to upgrade as soon as possible.
To upgrade, follow the following procedure :
1. For Centos 6.x Systems (Centos 5.x uses previous versions of OpenSSL which haven’t been affected by this vulnerability) users can do a simple upgrade using yum by simply running :
$ yum –disablerepo=”*” –enablerepo=”updates” update openssl
2. For Ubuntu and Debian Systems it can be done by running :
$ sudo apt-get update
$ sudo apt-get upgrade openssl
If you are running debian/ubuntu and still seeing issues after upgrading openssl, don’t forget to upgrade libssl-dev.
If your repository configurations are correct the above commands should patch this vulnerability on your systems.