Difference between revisions of "Vuln web cve-2014-0160"

From Atomicorp Wiki
Jump to: navigation, search
m (Next Steps)
m (Next Steps)
Line 23: Line 23:
 
Parallels Virtualization products: http://kb.parallels.com/en/120989
 
Parallels Virtualization products: http://kb.parallels.com/en/120989
  
Step 2) Optional:  Add defense in depth to TLS to help mitigate potential future vulnerabilities
+
Step 2) Restart all services that use SSL
 +
 
 +
The follow is a partial list of all services that may use SSL
 +
 
 +
* http/apache
 +
* http/nginx
 +
* http/litespeed
 +
* IMAP/POP servers
 +
* SMTP mail servers
 +
* control panels
 +
* file sharing applications
 +
* FTP (if configured to use SSL)
 +
 
 +
Note: SSH does not use SSL
 +
 
 +
Step 3) Rekey your servers
 +
 
 +
Because heartbleed can make it possible for an attacker to steal your private keys, it is recommended that your re-key your servers.  Please contact your CA vendor for specific instructions to do this, as each CA vendor may have a different process.
 +
 
 +
Step 4) Optional:  Add defense in depth to TLS to help mitigate potential future vulnerabilities
  
 
It is also recommended that you implement Perfect Forward Secrecy on your server to mitigate possible future vulnerabilities in the TLS protocol.  Please see the [[PFS]] article for recommendations.
 
It is also recommended that you implement Perfect Forward Secrecy on your server to mitigate possible future vulnerabilities in the TLS protocol.  Please see the [[PFS]] article for recommendations.

Revision as of 12:31, 11 April 2014

Heartbleed OpenSSL vulnerability

This vulnerability means that your system is running a vulnerable version of openssl that is vulnerable to the Heartbleed Vulnerability. This vulnerability makes it possible for an attacker to steal information from memory on your server, remotely, including passwords, sensitive information and private SSL keys. This is a very serious vulnerability and means that TLS and SSL based connections on your system can be compromised by an attacker exposing any information being sent over these connections.

Next Steps

Step 1) Patch OpenSSL

To fix this vulnerability you need to upgrade openssl to a version that is not vulnerable to this hole. The follow list provides links to specific vendors websites with instructions to fix this vulnerability.

Redhat: https://access.redhat.com/security/cve/CVE-2014-0160

Centos: See the Redhat information above. Centos is a derivative of RHEL.

Cpanel: https://cpanel.net/heartbleed-vulnerability-information/

Parallels Automation: http://kb.parallels.com/en/120984

Parallels Business Automation Standard: http://kb.parallels.com/en/120986

Parallels Plesk Panel: http://kb.parallels.com/en/120990

Parallels Virtualization products: http://kb.parallels.com/en/120989

Step 2) Restart all services that use SSL

The follow is a partial list of all services that may use SSL

  • http/apache
  • http/nginx
  • http/litespeed
  • IMAP/POP servers
  • SMTP mail servers
  • control panels
  • file sharing applications
  • FTP (if configured to use SSL)

Note: SSH does not use SSL

Step 3) Rekey your servers

Because heartbleed can make it possible for an attacker to steal your private keys, it is recommended that your re-key your servers. Please contact your CA vendor for specific instructions to do this, as each CA vendor may have a different process.

Step 4) Optional: Add defense in depth to TLS to help mitigate potential future vulnerabilities

It is also recommended that you implement Perfect Forward Secrecy on your server to mitigate possible future vulnerabilities in the TLS protocol. Please see the PFS article for recommendations.

Outside references

http://heartbleed.com/

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

https://isc.sans.edu/forums/diary/Heartbleed+vendor+notifications/17929

Personal tools