4th Floor, 4 Tabernacle Street London EC2A 4LU

Ubuntu – Update OpenSSL – Fix HeartBleed Vulnerability

In case you haven’t heard, a critical bug in the widely used OpenSSL library has been disclosed this week.

http://www.bbc.co.uk/news/technology-26971363

Despite the cool name and vector logo, Heartbleed is one of the scariest security bugs to hit the Internet in a long time.

 

I was able to query my own server to reveal memory dumps containing database table

names and a few other interesting bits!

Once you have fixed your servers – update your passwords!Now if I was constantly doing that, I could grab and amass a great deal of useful info.

 

For updating Ubuntu..

 

Step 1 – Check your current OpenSSL version

Run openssl version -a

root@sin1:~# openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Mon Jul 15 12:44:45 UTC 2013
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"
root@sin1:~#

Note: OpenSSL 0.9.8 branch is not vulnerable

Versions earlier than 1.0.1 are not vulnerable (although you should upgrade now that a fix is live for the latest version).

 

If you are running Ubuntu 13.01 you Raring updates, so you may need to do it manually: 

Step 2 – Install the latest security updates

Run apt-get update followed by apt-get dist-upgrade

root@www:~# apt-get dist-upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  file libmagic1 libssl-dev libssl-doc libssl1.0.0 openssh-client openssh-server openssl
8 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 5,697 kB of archives.
After this operation, 2,048 B of additional disk space will be used.
Do you want to continue [Y/n]? y

You might need to restart your server if prompted.

Step 3 – Check to make sure the patched version of OpenSSL successfully installed

Run openssl version -a

root@discuss:~# openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr  7 20:33:29 UTC 2014
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) 
compiler: cc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DOPENSSL_NO_TLS1_2_CLIENT -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/lib/ssl"
root@discuss:~#