Tag Archives: bleed

Heart bleed bug

A friend just pointed me to this: http://www.theepochtimes.com/n3/609175-heart-bleed-bug-imperils-web-encryption-putting-passwords-credit-cards-at-risk/ which in turn turned me to this: http://heartbleed.com/

Basically OpenSSL for 2 years had a major flaw in it which allows hackers to obtain 64 kilobytes of data from the server where OpenSSL was installed and being used. I rushed onto the server and checked the OpenSSL for it’s version number. While I will not specifically state what version the servers are running for security measures I will say that the service is NOT running OpenSSL versions which were vulnerable.

However after using a test site (http://filippo.io/Heartbleed/) on a client’s server I found that even though 1.0.0 was not supoused to be affect (their version was 1.0.0c) they were vulnerable. I would strongly urge ANYONE to either run their update program (centos/rhel: “yum -y update openssl”) or manually install 1.0.1g as soon as possible. Then broadcast to your account holders to change their passwords.

Keep in mind OpenSSL 1.0.0c was released in December of 2010. Which means if 1.0.0c was vulnerable this bug has been around for 3 1/2 years.


 

Excerpt from http://heartbleed.com/

 

What versions of the OpenSSL are affected?

Status of different versions:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.


Commands to update your own dedicated server:

Just in case the above command doesn’t clean up here is the clean up command:

In case you’re having issues with “openssl version” still showing you your old version and are using StorMan use the following commands:

If not using StorMan and still having issues of the old version being reported try:

To test your openssl version use the below command:

 Also keep in mind you will want to re-key your SSL Certificates if your server had a known issue. As someone could be sitting on your private key just waiting to use it.