Difference between revisions of "Vuln web cve-2014-0160"
m (→Next Steps) |
m (→Outside references) |
||
(7 intermediate revisions by one user not shown) | |||
Line 5: | Line 5: | ||
= Next Steps = | = Next Steps = | ||
− | Step 1) Patch OpenSSL | + | '''Step 1) Patch OpenSSL''' |
To fix this vulnerability you need to upgrade openssl to a version that is not vulnerable to this hole. The follow list provides links to specific vendors websites with instructions to fix this vulnerability. | To fix this vulnerability you need to upgrade openssl to a version that is not vulnerable to this hole. The follow list provides links to specific vendors websites with instructions to fix this vulnerability. | ||
− | + | Operating System vendors: | |
− | Centos: See the Redhat information above. Centos is a derivative of RHEL. | + | *Redhat: https://access.redhat.com/security/cve/CVE-2014-0160 |
+ | *Centos: See the Redhat information above. Centos is a derivative of RHEL. | ||
− | + | Control Panel vendors: | |
− | Parallels Automation: http://kb.parallels.com/en/120984 | + | *Cpanel: https://cpanel.net/heartbleed-vulnerability-information/ |
+ | *Parallels Automation: http://kb.parallels.com/en/120984 | ||
+ | *Parallels Business Automation Standard: http://kb.parallels.com/en/120986 | ||
+ | *Parallels Plesk Panel: http://kb.parallels.com/en/120990 | ||
+ | *Parallels Virtualization products: http://kb.parallels.com/en/120989 | ||
− | + | Note: The above control panels generally use openssl from the Operating System, and do not include their own, and will therefore not automatically update openssl for you. Therefore its important that you confirm your operating systems openssl libraries are up to date if you control panel uses the OSes openssl libaries (and most of them do). However you should always confirm this with the control panel vendor. If they replaced openssl on your system, or have installed their own version in a non-standard place, upgrading openssl from your OS vendor may not close this hole. | |
− | + | '''Step 2) Restart all services that use SSL''' | |
− | + | The follow is a partial list of services that may use SSL: | |
− | + | * Web servers (e.g. nginx, apache, litespeed, tomcat) | |
+ | * IMAP/POP servers (e.g. courier) | ||
+ | * SMTP mail servers (e.g. Postfix, qmail, exim) | ||
+ | * control panels (e.g. Plesk, Webmin, Cpanel) | ||
+ | * file sharing applications (e.g. Webdav) | ||
+ | * FTP (if configured to use SSL) | ||
+ | * tortixd | ||
+ | * openVPN | ||
− | + | If you use a control panel, check with your control panel vendor to see what other services you need to restart and the services names. If you are really unsure, you can just reboot your server which of course will restart all of these services.. To restart a service that uses the Linux standard init system, for example if you wanted to restart tortixd, you would run this command as root: | |
− | + | service tortixd restart | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | Note: SSH does not use | + | '''Note: SSH does not use TLS (the protocol that makes this attack possible), and is therefore not vulnerable to Heartbleed.''' |
− | Step 3) Rekey your servers | + | '''Step 3) Rekey your servers''' |
Because heartbleed can make it possible for an attacker to steal your private keys, it is recommended that your re-key your servers. Please contact your CA vendor for specific instructions to do this, as each CA vendor may have a different process. | Because heartbleed can make it possible for an attacker to steal your private keys, it is recommended that your re-key your servers. Please contact your CA vendor for specific instructions to do this, as each CA vendor may have a different process. | ||
− | Step 4) Optional: Add defense in depth to TLS to help mitigate potential future vulnerabilities | + | '''Step 4) Optional: Add defense in depth to TLS to help mitigate potential future vulnerabilities''' |
It is also recommended that you implement Perfect Forward Secrecy on your server to mitigate possible future vulnerabilities in the TLS protocol. Please see the [[PFS]] article for recommendations. | It is also recommended that you implement Perfect Forward Secrecy on your server to mitigate possible future vulnerabilities in the TLS protocol. Please see the [[PFS]] article for recommendations. | ||
= Outside references = | = Outside references = | ||
+ | |||
+ | https://www.openssl.org/news/secadv_20140407.txt | ||
http://heartbleed.com/ | http://heartbleed.com/ |
Latest revision as of 18:42, 16 April 2014
[edit] Heartbleed OpenSSL vulnerability
This vulnerability means that your system is running a vulnerable version of openssl that is vulnerable to the Heartbleed Vulnerability. This vulnerability makes it possible for an attacker to steal information from memory on your server, remotely, including passwords, sensitive information and private SSL keys. This is a very serious vulnerability and means that TLS and SSL based connections on your system can be compromised by an attacker exposing any information being sent over these connections.
[edit] Next Steps
Step 1) Patch OpenSSL
To fix this vulnerability you need to upgrade openssl to a version that is not vulnerable to this hole. The follow list provides links to specific vendors websites with instructions to fix this vulnerability.
Operating System vendors:
- Redhat: https://access.redhat.com/security/cve/CVE-2014-0160
- Centos: See the Redhat information above. Centos is a derivative of RHEL.
Control Panel vendors:
- Cpanel: https://cpanel.net/heartbleed-vulnerability-information/
- Parallels Automation: http://kb.parallels.com/en/120984
- Parallels Business Automation Standard: http://kb.parallels.com/en/120986
- Parallels Plesk Panel: http://kb.parallels.com/en/120990
- Parallels Virtualization products: http://kb.parallels.com/en/120989
Note: The above control panels generally use openssl from the Operating System, and do not include their own, and will therefore not automatically update openssl for you. Therefore its important that you confirm your operating systems openssl libraries are up to date if you control panel uses the OSes openssl libaries (and most of them do). However you should always confirm this with the control panel vendor. If they replaced openssl on your system, or have installed their own version in a non-standard place, upgrading openssl from your OS vendor may not close this hole.
Step 2) Restart all services that use SSL
The follow is a partial list of services that may use SSL:
- Web servers (e.g. nginx, apache, litespeed, tomcat)
- IMAP/POP servers (e.g. courier)
- SMTP mail servers (e.g. Postfix, qmail, exim)
- control panels (e.g. Plesk, Webmin, Cpanel)
- file sharing applications (e.g. Webdav)
- FTP (if configured to use SSL)
- tortixd
- openVPN
If you use a control panel, check with your control panel vendor to see what other services you need to restart and the services names. If you are really unsure, you can just reboot your server which of course will restart all of these services.. To restart a service that uses the Linux standard init system, for example if you wanted to restart tortixd, you would run this command as root:
service tortixd restart
Note: SSH does not use TLS (the protocol that makes this attack possible), and is therefore not vulnerable to Heartbleed.
Step 3) Rekey your servers
Because heartbleed can make it possible for an attacker to steal your private keys, it is recommended that your re-key your servers. Please contact your CA vendor for specific instructions to do this, as each CA vendor may have a different process.
Step 4) Optional: Add defense in depth to TLS to help mitigate potential future vulnerabilities
It is also recommended that you implement Perfect Forward Secrecy on your server to mitigate possible future vulnerabilities in the TLS protocol. Please see the PFS article for recommendations.
[edit] Outside references
https://www.openssl.org/news/secadv_20140407.txt
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
https://isc.sans.edu/forums/diary/Heartbleed+vendor+notifications/17929