How to secure your servers against OpenSSL / Heartbleed vulnerability

• 23 June 2016
• by: Cheah Wei Xin
• in: Tips & Tricks
• note: no comments

As reported by The OpenSSL team on April 7, 2014, a significant encryption flaw named the “Heartbleed bug” has been discovered and poses a very large security threat to servers which are vulnerable.

If you have a VPS/Cloud/Dedicated server with Signetique installed with software versions that may be vulnerable, please note the following information. If you have Managed System Administration services with us, we have already scheduled an upgrade for you and you do not have to do anything.

You can find more information about the vulnerability – CVE-2014-0160 at the OpenSSL website and athttp://heartbleed.com/.

This affects almost all services (especially Apache-based) in a system which depends on OpenSSL and was created using one of the following distributions:

• Debian Wheezy (stable) (vulnerable OpenSSL 1.0.1e-2+deb7u4, fixed in OpenSSL 1.0.1e-2+deb7u5)
• Ubuntu 13.10 (vulnerable OpenSSL 1.0.1e-3ubuntu1.1, fixed in OpenSSL 1.0.1e-3ubuntu1.2)
• Ubuntu 12.10 (vulnerable OpenSSL 1.0.1c-3ubuntu2.6, fixed in OpenSSL 1.0.1c-3ubuntu2.7)
• Ubuntu 12.04.4 LTS (vulnerable OpenSSL 1.0.1-4ubuntu5.11, fixed in OpenSSL 1.0.1-4ubuntu5.12)
• RedHat, CentOS, CloudLinux 6.5 (vulnerable OpenSSL 1.0.1e-15, fixed in OpenSSL 1.0.1e-16)
• Fedora 18 (OpenSSL 1.0.1e-4 without update: Fedora 18 is no longer supported)
• Fedora 19 (fixed in OpenSSL 1.0.1e-37.fc19.1)
• Fedora 20 (fixed in OpenSSL 1.0.1e-37.fc20.1)
• OpenSUSE 12.2 (vulnerable OpenSSL 1.0.1c, fixed in OpenSSL 1.0.1e-1.44.1)
• OpenSUSE 13.1 (fixed in OpenSSL 1.0.1e-11.32.1)

Please refer to this URL for OpenSUSE patches (http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.html)

The OpenSSL version for Debian/Ubuntu can be checked using below command :

# dpkg -l openssl
The OpenSSL version for Redhat/CentOS and OpenSUSE can be checked using below command :

# rpm -q openssl

The following distributions are NOT affected :

• Debian Squeeze (https://www.debian.org/security/2014/dsa-2896)
• RedHat/CentOS 5 which shipped with OpenSSL 0.97a and 0.98e (https://rhn.redhat.com/errata/RHSA-2014-0376.html)
• Other than the above mentioned Ubuntu releases (http://www.ubuntu.com/usn/usn-2165-1/)

What should I do if my server is vulnerable?
————————————————–

Upgrade your OpenSSL package

On CentOS, RHEL and CloudLinux system. This can be done using below command :

# yum clean all
# yum update openssl

On Debian/Ubuntu system. This can be done using below command :

# apt-get update
# apt-get install openssl

Reset all your passwords

It is highly recommended to change all passwords after the OpenSSL package updated. Especially those web applications which accessible via your https URL.

SSL Certificate Revocations

According to the currently available information, private keys should be considered as compromised. We advice you to contact your SSL provider for revocation and reissuing of certificates.

Check if your system is still vulnerable after OpenSSL has been upgraded

Please go to https://www.ssllabs.com/ssltest/ and test your domain that assigned with SSL. If the problem fixed, then the output of the test should include a row similar to this: “This server is not vulnerable to the Heartbleed attack. (Experimental)”.

If you have Managed System Administration services with Signetique, we have already scheduled an upgrade for you. If you do not have this service and would like us to assist you, please email to sales@exabytes.sg and we will be happy to discuss this further with you.

 

Kenneth Tan