sys·ad·min·ol·o·gy [sis-ad-mih-nol-uh-jee]

noun

  1. The scientific study of system administration and related phenomena.

Tuesday, 8 April 2014

OpenSSL Heartbleed Vulnerability and Gentoo (and a little bit of Debian too)

If you've been hiding under a rock for the last 24 hours, here's the lowdown: heartbleed.com (CVE-2014-0160)

The upshot is that if you are running secure services on anything with OpenSSL versions 1.0.1 to 1.0.1f then there is a vulnerability that allows remote attackers to read chunks of RAM in 64k blocks. This means that pretty much anything can be compromised, from usernames and passwords to the secret key being used by your x509 certificate! Yeah, pretty scary stuff!

If your service is public facing, you can check if your service is vulnerable or not by visiting filippo.io/Heartbleed/. Be warned that as of time of writing, the load is quite high, and the author says it could be causing false negatives. Update: There's another checker here: possible.lv/tools/hb/

Gentoo

Plugging this vulnerability in Gentoo is pretty easy

First, check what version of OpenSSL you are running with

openssl version

If you are running an affected version, update it with emerge:

emerge -vat =dev-libs/openssl-1.0.1g

Note that you may need to emerge --sync before to get the updated version.

Finally, you'll almost certainly need to restart any service that is using openssl. e.g.

/etc/init.d/apache2 restart

Given this has been exploitable for quite some time, its worth getting any certificates re-issued, because the is a chance the secret key has bee compromised.

Also, its worth noting that if you cant upgrade openssl for any reason, you can recompile with the tls-heartbeat use flag NOT set.

$ equery uses openssl
[ Legend : U - final flag setting for installation]
[        : I - package is installed with flag     ]
[ Colors : set, unset                             ]
 * Found these USE flags for dev-libs/openssl-1.0.1f:
 U I
 + + bindist       : Disable EC/RC5 algorithms (as they seem to be patented) -- note: changes the ABI
 - - gmp           : Add support for dev-libs/gmp (GNU MP library)
 - - kerberos      : Add kerberos support
 - - rfc3779       : Enable support for RFC 3779 (X.509 Extensions for IP Addresses and AS Identifiers)
 - - static-libs   : Build static versions of dynamic libraries as well
 - - test          : Workaround to pull in packages needed to run with FEATURES=test. Portage-2.1.2 handles this internally, so don't set it in make.conf/package.use anymore
 + + tls-heartbeat : Enable the Heartbeat Extension in TLS and DTLS
 - - vanilla       : Do not add extra patches which change default behaviour; DO NOT USE THIS ON A GLOBAL SCALE as the severity of the meaning changes drastically
 + + zlib          : Add support for zlib (de)compression

You can achieve this with:

USE="-tls-heartbeat" emerge openssl -vat

Debian

Most other sites I cant find seem to advocate updating the whole system. While you can do this, as a Sysadmin it makes me shudder! What other applications might get updated in the process and what affect could this have on the server? 

I prefer this slightly more "surgical" method:

apt-get update
apt-get install openssl libssl1.0.0

Note that both openssl AND libssl must be updated in order mitigate against heartbleed.

No comments:

Post a Comment