How to find out if your server is affected from Openssl Heartbleed vulnerability (CVE-2014-0160) and how to fix that

Want to support HowtoForge? Become a subscriber!
 
Submitted by till (Contact Author) (Forums) on Tue, 2014-04-08 13:15. :: CentOS | Debian | Fedora | SuSE | Ubuntu

How to find out if your server is affected from Openssl Heartbleed vulnerability (CVE-2014-0160) and how to fix that

 

Version 1.2
Author: Till Brehm <t [dot] brehm [at] howtoforge [dot] com>
Follow Howtoforge on Twitter
Last edited 04/11/2014

 

A severe vulnerability in OpenSSL has been found, the vulnerability is named Heartbleed and affects the heartbeat implementation in Openssl version 1.0.1 up to version 1.0.1f. This velnerability can be used to get the private key of a SSL connection, so it is important to update the server immediately. The bug is fixed in OpenSSL 1.0.1g. All Major Linux Distributions have release updates to the vulnerability.

 

Find out if your server is affected

Run the command:

openssl version

to get the version number of openssl. If the command shows e.g.:

openssl version
OpenSSL 1.0.1e 11 Feb 2013

then your server might be vulnerable as the version is below 1.0.1g. But some Linux distributions patch packages, see below for instructions to find out if the package on your server has been patched.

If your server uses a 0.9.8 release like it is used on Debian squeeze, then the server is not vulnerable as the heartbeat function has been implemented in OpenSSL 1.0.1 and later versions only.

openssl version
OpenSSL 0.9.8o 01 Jun 2010

 

Fix the vulnerability

To fix the vulnerability, install the latest updates for your server.

Debian

apt-get update
apt-get upgrade

Ubuntu

apt-get update
apt-get upgrade

Fedora and CentOS

yum update

OpenSuSE

zypper update

Then restart all services that use OpenSSL. On a ISPConfig 3 server, restart e.g. these services (when they are installed): sshd, apache, nginx, postfix, dovecot, courier, pure-ftpd, bind and mysql. If you want to be absolutely sure that you did not miss a service, then restart the whole server by running "reboot" on the shell.

 

Check if the Linux update installed the correct package

After you installed the Linux updates, check if the openssl package has been upgraded correctly. Some Linux distributions
patch packages, so "openssl version" does not always show whether the correct patch that fixes the vulnerability has been installed.

Check the package on Debian and Ubuntu:

dpkg-query -l 'openssl'

Here the output for a correctly patched Debian 7 (Wheezy) server:

dpkg-query -l 'openssl'
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                Version         Architecture   Description
+++-===================-===============-==============-============================================
ii  openssl             1.0.1e-2+deb7u5 amd64          Secure Socket Layer (SSL) binary and related

For Fedora and CentOS, use this command to find the installed package name:

rpm -qa | grep openssl

Here are the links with the release notes that contain the package names of the fixed versions:

Debian: http://www.debian.org/security/2014/dsa-2896
Ubuntu: http://www.ubuntu.com/usn/usn-2165-1/
Fedora: https://lists.fedoraproject.org/pipermail/announce/2014-April/003206.html
CentOS: http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html

 

Test

There is now a test available to verify if you successfully closed the security hole in your Server. The test can be found here:

http://filippo.io/Heartbleed/

 

Q&A on this Topic in the howtoforge forum

Questions and answers on this topic in the howtoforge forum:

http://www.howtoforge.com/forums/showthread.php?t=65498

 

 


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by diml (registered user) on Thu, 2014-04-10 11:29.

Hello,

I think that if you have a server up and running  (in my case Ubuntu 12.04) apt-get update && apt-get upgrade is not the best way since you have other services that is a little dangerous to update.

You can  only apt-get update &&apt-get install openssl libssl1.0.0

Don't forget to restart server. This worked fine for me!

Submitted by till (registered user) on Thu, 2014-04-10 13:14.
Please be aware that this fixes the openssl issue but leaves other issues open. So better check if you can not install all pending security updates. If your server is eetup correctly, then ubuntu maintennace and security updates should not cause any problems.
Submitted by Anonymous (not registered) on Thu, 2014-04-10 10:08.
>>> Run the command: openssl version to get the version number of openssh. <<< No, this will get you the vn of openssl. Don't drag OpenSSH into this, OpenSSH is not affected.
Submitted by till (registered user) on Thu, 2014-04-10 13:11.
Thanks for pointing out this typo. I corrected it in the tutorial.
Submitted by PermaNoob (registered user) on Thu, 2014-04-10 00:05.
openssl 1.0.1e in centos has been fixed.

The only thing you have to do is: yum update

It will automatically download and update a backported version of openssl-1.0.1e-16.el6_5.7 which has been patched by RedHat with heartbeat disabled.

To verify the update, check the changelog:

# rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160

you should see the following:

* Mon Apr 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.7 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
Submitted by Nico (not registered) on Wed, 2014-04-23 01:02.
Can you hgelp me with this i'm on centos as well i did yum update and restarted the server yet the latest update is: 

 * Tue Jan 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.4
- fix CVE-2013-4353 - Invalid TLS handshake crash


 

Submitted by Anonymous-kjakich (not registered) on Thu, 2014-04-10 19:41.
Hey, Thanks for that. It worked! 
Submitted by SamTzu (registered user) on Wed, 2014-04-09 08:42.

You don't always get the real version with "openssl version".

Try "apt-cache policy openssl".