A new vulnerability (CVE-2014-0160) has been discovered in OpenSSL named ‘Heartbleed’ (vulnerabilities in TLS heartbeat extension ). OpenSSL is the core cryptographic library used to establish SSL/TLS connections. It enables clients to (a) verify that they are indeed communicating with the server they expect and not a man-in-the-middle and (b) encrypt the network traffic so that parties other than the client and server cannot eavesdrop on the messages
The BAD & the UGLY
The latest vulnerability compromises the aforementioned security features provided by OpenSSL and allows a malicious client or server to read up to 64KB of memory from the remote machine, potentially compromising any secrets including the private keys of TLS certificates and previously transmitted or information transmitted in future if a captured packet dump is available for the same.
How to safeguard against it ?
Not all versions of OpenSSL suffer from this vulnerability. If you are running an SSL enabled website, please check your OpenSSL version by running the following command
$ OpenSSL version -a
The first line of the output will tell you the version of the OpenSSL that you are running.
The versions affected by the Heartbleed vulnerability are 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1.
For RH based distributions like CentOS 6 the above doesn’t apply please refer to this announcement :- http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html
If you are running a vulnerable version along with the heatbeat extension then you should to upgrade to the fixed version released by your GNU/Linux distribution. There is a possibility that heartbeat extension might not be enabled on your server but it is a good practice to update to latest version available on your GNU/Linux distribution anyway.
To check if you have heartbeat installed, you can run the following command in your terminal (on a GNU/Linux machine)
$ openssl s_client -connect example.com:443 -tlsextdebug 2&>1| grep ‘server extension “heartbeat” (id=15)’ || echo safe
In the above command replace ‘example.com’ with your own website. If the output of the command is
‘safe’ then you have nothing to worry about, if otherwise then you need to upgrade as soon as possible.
To upgrade, follow the following procedure :
1. For Centos 6.x Systems (Centos 5.x uses previous versions of OpenSSL which haven’t been affected by this vulnerability) users can do a simple upgrade using yum by simply running :
$ yum –disablerepo=”*” –enablerepo=”updates” update openssl
2. For Ubuntu and Debian Systems it can be done by running :
$ sudo apt-get update
$ sudo apt-get upgrade openssl
If you are running debian/ubuntu and still seeing issues after upgrading openssl, don’t forget to upgrade libssl-dev.. If your repository configurations are correct the above commands should patch this vulnerability on your systems.
Update: E2E has fixed the vulnerability by upgrading openssl to a recommended version on all managed boxes and un-managed boxes (where our keys are available). Please mail us on firstname.lastname@example.org (For Managed customers) and email@example.com (for un-managed customers) for all details on the issue