How To Mitigate & Fix OpenSSL Heartbeat on CentOS or Ubuntu

1
(No Transcript)
2
How To Mitigate Fix OpenSSL Heartbeat on CentOS
or Ubuntu

• An extremely critical security issue was recently
  discovered in OpenSSL.
• It has been found affecting versions 1.0.1
  through 1.0.1f.
• All CentOS 6.5 versions are packaged with OpenSSL
  1.0.1e-15 are all vulnerable to this bug.
• Note that older stable CentOS versions are not
  vulnerable to this bug.
• All Ubuntu versions since Ubuntu 12.04. This bug
  even got its own name, heartbleed.

3
How To Mitigate Fix OpenSSL Heartbeat on CentOS
or Ubuntu

• The Heartbleed Bug is a serious vulnerability in
  the popular OpenSSL cryptographic software
  library.
• This weakness allows stealing the information
  protected, under normal conditions, by the
  SSL/TLS encryption used to secure the Internet.
• SSL/TLS provides communication security and
  privacy over the Internet for applications such
  as web, email, instant messaging (IM) and some
  virtual private networks (VPNs).
• The Heartbleed bug allows anyone on the Internet
  to read and steal 64k of memory of the systems
  protected by the vulnerable versions of the
  OpenSSL software.
• This compromises the secret keys used to identify
  the service providers and to encrypt the traffic,
  the names and passwords of the users and the
  actual content.
• This allows attackers to eavesdrop on
  communications, steal data directly from the
  services and users and to impersonate services
  and users.

4
How To Mitigate Fix OpenSSL Heartbeat on CentOS
or Ubuntu

• Fixing it is relatively simple now that most
  Linux distributions have pushed out changes to
  their repositories containing a fixed version of
  OpenSSL.
• In order to patch this vulnerability, affected
  users should update to the latest OpenSSL
  version. So, the update should be as easy as
• Fedora/CentOS yum clean all yum
  check-update yum update Ubuntu/Debian
  sudo apt-get update sudo apt-get upgrade
  openssl

5
How To Mitigate Fix OpenSSL Heartbeat on CentOS
or Ubuntu

• If all went without errors, thats it. Now, lets
  make sure that we are running the version without
  security issues.
• Fedora/CentOS rpm -qa grep
  openssl openssl-1.0.1e-16.el6_5.7.x86_64 openssl
  -devel-1.0.1e-16.el6_5.7.x86_64
  Ubuntu/Debian openssl version OpenSSL
  1.0.1 14 Mar 2012
• Now, after we made sure we are using the latest
  version, we need to regenerate your certificate
  using a new private key.
• This process is standard, first, we should create
  a certificate signing request, create a new key
  and then create the certificate itself (if we are
  using our own certificates, or send CSR to
  certificate authority issuer to create the new
  certificate).
• Then, replace the old certificate and start using
  the new ones.

6
How To Mitigate Fix OpenSSL Heartbeat on CentOS
or Ubuntu

• The next step is to make sure that we restart all
  the services that are using SSL certificates. For
  example, if we have apache webserver we should
  execute
• Fedora/CentOS /etc/init.d/httpd
  restart Ubuntu/Debian sudo service
  apache2 restart
• We should do that same for any other webserver or
  any other service that we use (Nginx, vsftpd,
  MySQL etc). Now we can sit back and relax. We are
  protected from the Heartbleed bug.