‘Heartbleed’ one of the highly critical vulnerabilities detected in OpenSSL is an over spoken term leaving everyone over the web feel insecure, while they don’t have to.
Before we head any further, let’s first try and understand about the CVE-2014-0160, popularly known as Heartbleed. [Ref.: CVE – Common Vulnerabilities and Exposures]
Well, as per the definition by Neel Mehta of Google Security and security engineers at Codenomicon who jointly discovered the bug, “It is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).”
The vulnerability was discovered in the OpenSSL’s implementation of TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). This security malfunction was found to leak memory contents from the server to the client and from the client to the server without leaving any trace in the activity logs. The bug is assumed to be a programming error in OpenSSL library that provides cryptographic services such as SSL/TLS to the applications and services.
Here’s a list of OpenSSL versions that are found to be affected by this vulnerability:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
The bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
In general, users dealing in online transactions would usually check for a padlock icon or a green bar before the url to understand if a website was secure. But with this vulnerability, even though if you find one of the two, you cannot be sure if the SSL communication channel is actually secure.
So, what is the solution? How to get rid of this security vulnerability?
After the news first flashed, we started investigating our servers and services of this vulnerability, and we are pleased to assure you that our servers aren’t affected by the vulnerability due to fact of been using an Enterprise Linux 5 based system (unless some of our customers have installed a different version of an OS from online repositories). Hence we appeal to our customers to patch the systems with OpenSSL 1.0.1 RPM as published for the RHEL 6, CentOS 6 and CloudLinux 6 repositories.
The only step that is necessary to update these servers is to run “yum update” to install the updated version of OpenSSL and then either restart all SSL-enabled services fully ie. sshd, or reboot the server. We recommend rebooting the server so that no services are missed, and it’d also offer you the opportunity to install an updated kernel if one is available.
The patched OpenSSL 1.0.1e RPM will have a change-log that indicates the CVE-2014-0160 vulnerability has been fixed, such as this example:
# rpm -q –changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160
* Mon Apr 07 2014 Tomáš Mráz <[email protected]> 1.0.1e-16.7
– fix CVE-2014-0160 – information disclosure in TLS heartbeat extension
RHEL/CentOS/CloudLinux 5 servers which are using the OpenSSL 0.9.8 RPM included in the official OS repositories are not vulnerable due to the fact that they have an older BUT a secure version of OpenSSL which is free from heartbeet bug.
On cpanel servers with cPanel version 11.42 and above, users are advised to run /scripts/upcp –force and restart httpd service after upcp which would fix this issue.
While our Plesk users can follow the references listed at the end of this write-up.
NOTE: Custom installations of OpenSSL, which are not provided by the OS vendor may be vulnerable since they may need to be updated manually. We cannot assist with updating custom installations of OpenSSL.
We too are in process of scanning our Linux systems but users may want to scan their servers using this free tool and check for heartbleed vulnerability.
If you find your server to be compromised, kindly report to us by raising a ticket so we can investigate and do the essential for your server on priority.
For viewers who aren’t our customers can upgrade to 1.0.1g or newer version of OpenSSL.
Once the system is patched with the bug free version of OpenSSL, it is advised to change the password and if possible use a two step verification.
- For Parallels Automation go to http://kb.parallels.com/en/120984
- For Parallels Business Automation Standard go to http://kb.parallels.com/en/120986
- For Parallels Plesk Panel go to http://kb.parallels.com/en/120990
- For Virtualization products go to http://kb.parallels.com/en/120989