giovedì 17 aprile 2014

How to Protect your Server Against the Heartbleed OpenSSL Vulnerability

Important SSL Security Vulnerability
On Monday, April 7th 2014, an OpenSSL vulnerability was disclosed which has been called one of the worst security holes in recent internet history. The bug, called the Heartbleed bug, was introduced in OpenSSL version 1.0.1. It has been in the wild since March of 2012 and is patched with OpenSSL version 1.0.1g released on April 7th 2014. The problem, tagged CVE-2014-0160, is described in detail here.

The bug allows any attacker to read the memory of a vulnerable host, which means that any keys that have been used on a host with a vulnerable version of OpenSSL should be considered compromised. Distributions have been updating their packages and pushing out updates, but users need to pull down the most recent packages and revoke any previous keys based on insecure versions.

I'll show you how to update your systems with a secure version of OpenSSL, revoke any insecure SSL certificates, and test whether you are vulnerable or not.

Update your System
The easiest way to update your packages is to update your entire system.

On Ubuntu and Debian, you can update by typing:
sudo apt-get update
sudo apt-get dist-upgrade
If you only want to upgrade the affected packages, and not update the entire system (only recommended if you have reason to believe that upgrades to other components will break your system), you can selectively upgrade the OpenSSL packages by typing:
sudo apt-get install --only-upgrade openssl
sudo apt-get install --only-upgrade libssl1.0.0
This will upgrade the vulnerable packages while leaving the rest of your system in an un-upgraded state.

Checking your Version Numbers
You should check your version of OpenSSL after you have updated your system.

While OpenSSL version 1.0.1g is the official fix of this problem, the version that fixes this for different distributions and releases may vary. Some releases and distributions patched their older versions to fix the problem, rather than releasing an entirely new version into an older, stable ecosystem.

Because of this reason, it is best to check through your distribution's packaging system, since the openssl version command might not reflect the information we need.

Debian and Ubuntu Releases and Fix Versions
For Debian and Ubuntu systems, you get the current version of your OpenSSL package by typing:
dpkg -l | grep "openssl"
For Debian users, the release of Debian that you are running will determine the correct version for the fix. If your version of OpenSSL is at least as recent as the version listed here for your distribution, you should be protected:
  • Debian 6 (Squeeze): Unaffected (Shipped with older version prior to vulnerability)
  • Debian 7 (Wheezy): 1.0.1e-2+deb7u6
  • Debian testing (Jessie): 1.0.1g-1
  • Debian unstable (Sid): 1.0.1g-1

Nessun commento:

Posta un commento


Cerca su Google

Cerca nel Blog con Google