You may have read about the Heartbleed bug this morning (8th April), not only is this the day support for the operating system Windows XP ends from Microsoft but now we have a very critical OpenSSL bug to mitigate, and its quite a big one. Anyone running a Linux server is most likely affected in some way and action is required immediately. I’ve personally just had to update OpenSSL on four VPS servers and revoke and re-issue about 6 SSL certificates, serious stuff. Find out more after the break.
What is the Heartbleed bug?
There is an official site that explains everything in great detail, the summary of it all however is basically a programming error in OpenSSL has led to the possibility of being able to read the secret keys used to encrypt traffic with SSL/TLS. Thinking MITM (Man in the Middle) attack? This is worse, much worse. The secret keys can be directly exposed thanks to an programming oversight allowing read access to up to 64k random blocks of memory per heartbeat on the affected server and from there its potentially game over. This means personal data like passwords and any other sensitive data you can think of is wide open to be revealed. You’ll definitely want to the read the official website to get all the information.
Wondering how you fix this? Read on.
First, you need to identify if you are running servers with a vulnerable OpenSSL version, chances are you will be (see the official site for the version list). If you are, you must first patch OpenSSL to fix the main vulnerability (heartbleed). Many Linux distributions such as Debian, Red Hat, CentOS etc, have already released updated and patched OpenSSL packages which can be installed with their relative package manager i.e. apt or yum. If you can’t update OpenSSL via your distro’s package manager, you’ll need to compile OpenSSL from source with specific flags (again covered on the official site).
Restart processes relying on OpenSSL Libraries
Now that you’ve patched or updated OpenSSL, services will be running that will be using older OpenSSL libraries. You will need to restart or kill them to clear this. A neat command posted on webhostingtalk.com allows you to see what processes are still using older libraries. From here you can decide whether to restart or kill any services or processes.
lsof -n | grep ssl | grep DEL
Common services that could be still using old OpenSSL libraries may include:
There are many more however… Observe the output of the above command and restart or kill processes to clear the old libraries. Once the above command returns nothing, you can be sure all services are not using older OpenSSL libraries. Alternatively you could just straight reboot your server, but that’s overkill, you’ll want to fix all of this with minimal interruption.
Revoke old SSL certificates and re-issue them with new keys
Next you need to revoke SSL certificates that are compromised thanks to this bug. While you’ve fixed OpenSSL and its libraries, certificates generated with vulnerable OpenSSL versions are still themselves, vulnerable to the attack. Knowing if an SSL certificate is vulnerable is all dependent on when it was generated and what version of OpenSSL generated it at the time. I found that a site I use often to confirm the validity of my SSL certificates has recently been updated to detect the Heartbleed bug. If this site says your SSL certificate is vulnerable, revoke the SSL certificate and generate a new CSR and key. Repeat for any SSL certificates that are compromised. Make sure the CSR and key generation is done on a server with either a patched or non-affected version of OpenSSL.
Not sure if the SSL certificate is vulnerable? Revoke it and re-issue for absolute security, don’t chance it.
Be vigilant, consider changing passwords
As this bug is very serious, personal data may have already been intercepted from a variety of websites, login credentials being a very high risk in this case. Therefore it would be wise to change your passwords for online services and keep an eye on any accounts you have. The main problem with the heartbleed bug is if exploited, it is very difficult to detect as it leaves no trace and hence you can’t be sure if your data has been compromised.
Spread the word, stay safe
While this news is hard to not hear about in the tech world, pass on the information regarding the Heartbleed bug to others and help everyone stay safe, knowledge is power!