First of all, were you aware that Yum does not properly update your OpenSSL software? I know, it is shocking, right?!? Why doesn’t “yum update” or “yum update openssl” take care of it?
In this day of expectations, you would think that the number one vulnerability of hackers’ choice would be closed off and eliminated for a more secure Internet on every Linux, Windows, and Apple OS. You would, however, be wrong in that assumption.
I am constructively listing the steps below for a Linux or UNIX update of OpenSSL for those who would wish to change our fates in this respect.
The following should work on any Linux system but I used it on a CentOS 7 running on an Intel i3-based 64bit OS workstation/server.
wget https://www.openssl.org/source/openssl-1.0.2a.tar.gz wget http://www.linuxfromscratch.org/patches/blfs/svn/openssl-1.0.2a-fix_parallel_build-1.patch tar xzf openssl-1.0.2a.tar.gz cd openssl-1.0.2a patch -Np1 -i ../openssl-1.0.2a-fix_parallel_build-1.patch ./config –prefix=/usr –openssldir=/etc/ssl –libdir=lib shared zlib-dynamic make make install openssl version OpenSSL 1.0.2a 19 Mar 2015 |
I also looked up Microsoft hotfixes and third party hotfixes, as well, and found the following hotfixes deal with OpenSSL:
KB2962140, KB2964757:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB29020
Download of Microsoft hotfix:
http://www.microsoft.com/en-us/download/details.aspx?id=42632
(There may be others but this is the only one I have been able find.)
The following exploit is good for testing an implemented OpenSSL-based service and should also help to confirm the fix:
http://www.exploit-db.com/exploits/32745/
In order to use this exploit you must have an SSL-based service such as smtp, pop3, httpd, etc., running (for example) on port 443 that should be used in the exploit
To test:
| python myHeartBleedExploit.py localhost -p443 |
You may also find that the stunnel utility may be helpful in testing out the exploit by allowing non-SSL services to use SSL-protected ports.
Perhaps my next blog entry will cover the stunnel utility in more depth.
I hope you found this blog helpful!
I’ve you’ve come across other issues, please let me know in the comment section below. Perhaps you know of some device drivers in Windows or Linux that use OpenSSL as part of their functionality or perhaps there are third party programs that embed the OpenSSL libraries.
I would love to hear about them.
Additional references:
http://heartbleed.com/
https://nvd.nist.gov/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
Robert Silver is the Founder of Distinctly Digital Services. He worked as a Database Administrator (DBA) and Software Engineer for over 10 years with expertise in both workstation client software and real-time database driven website based transactional applications development on highly secured servers and workstations. He designed, implemented, and configured many databases within Linux/Unix, Microsoft Windows, as well as Vmware and server and workstation environments. Backed up, restored, tuned and maintained Oracle SQL Servers and MySQL Servers allowing for around the clock database access by users as well as providing user support for all database applications.
