Don’t Let Your Heart Bleed – Update OpenSSL Immediately

Recently, a vulnerability in OpenSSL, nicknamed “Heartbleed” has been discovered. HostVirtual suggests all clients immediately update their OpenSSL installations.  In addition to being discovered after being open “in the wild” for over a year, this vulnerability in some cases can cause private key leakage.

NOTE: If you’ve compiled OpenSSL from source, you will want to re-compile and fully reinstall OpenSSL with version 1.0.1g. Previous versions of OpenSSL can also be patched without an update, by utilizing the OPENSSL_NO_HEARTBEATS flag set to enabled. This will close the current vulnerability (CVE-2014-0160)

You can also test your website’s version if it utilizes SSL, using a Heartbleed vulnerability test – Simply enter your website’s URL and run the vulnerability test. Keep in mind that a positive score doesn’t necessarily mean your system isn’t vulnerable. Software compiled against older OpenSSL libraries may still be vulnerable to this exploit.

First, let’s cover updating OpenSSL on your respective operating system :

Ubuntu and Debian systems, run the following to upgrade and update your system packages:

sudo apt-get update

sudo apt-get upgrade

During the update, you may be listed with a warning, and a list of system services that will be restarted that utilize the older OpenSSL library. You can add additional services by adding their init.d script name here, such as: httpd or apache2.

CentOS & Fedora – Run the following command on CentOS systems to update OpenSSL.

yum -y update openssl

After patching, you should restart any binaries that are using OpenSSL, such as your web-servers and email servers, such as the following :

/etc/init.d/apache2 restart

Tools

• Check if your website is vulnerable : https://filippo.io/Heartbleed/
• Test on your own box (Python Script)
• List of vulnerable distributions : https://www.circl.lu/pub/tr-21/

Why is this so important?

Not only has this bug been in the open for over a year, it allows the leakage of private SSL key credentials, which may now be rendered useless in terms of security. In addition to updating OpenSSL and any binaries that use OpenSSL, you should not only re-issue your SSL keys, but revoke any previous keys to avoid malicious use, as private keys already may have been fully leaked from the server.

• Further, it’s also suggested you re-issue key-pairs and revoke previous certificates, as they could be read over portions of memory on an unprotected system. This includes private keys . Since these can include keys used to create SSL certificates, new SSL certificates should be generated and/or purchased. While this vulnerability was only discovered recently, it has been out in the wild for over a year. For this reason we suggest in addition to re-issuing SSL certificates, you change your passwords after patching and upgrading OpenSSL.

NOTE: All HostVirtual customers may file a support ticket to have your OpenSSL distributions patched for free by a support technician.

Thanks to Heartbleed.com for the resources and additional information on this quite serious vulnerability.