Official Blog of Azilen

The Techie Explorations

Have You Secured Your Web Server From HeartBleed?

Overview

HeartBleed is a biggest security threat on the web. Since December, 2011 it’s on the web, this bug was independently discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team.

As per the official website,

“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).”

This bug allows anybody on the web to read anybody’s system memory, although it’s protected by the vulnerable versions of the OpenSSL.

Who is Affected From This Bug?

You may be directly or indirectly affected by this bug. Any popular social website, any installed software, ecommerce website, government websites, company website that might be using vulnerable OpesSSL may affected by this bug. Any webserver which is using an insecure version of OpenSSL is affected, like Web services (HTTPS), Mail Services, OpenSSL, VOIP, and SSL based VPNs, etc.

If you are using these services for your business then first checks that your website is affected by this bug or not, if yes then change the password for all your accounts. Also, you can manually check your website with the help of this online tool at http://filippo.io/Heartbleed/.

Below OpenSSL versions are vulnerable:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • 1.0.2-beta & 1.0.2-beta1 are vulnerable

If you are using a web server which is running on OpenSSL, you must test your vulnerabilities using different utilities.

Many Operating Systems that have delivered with possibly insecure OpenSSL version, which are:

  • Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
  • Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
  • CentOS 6.5, OpenSSL 1.0.1e-15
  • Fedora 18, OpenSSL 1.0.1e-4
  • OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
  • FreeBSD 10.0 – OpenSSL 1.0.1e 11 Feb 2013
  • NetBSD 5.0.2 (OpenSSL 1.0.1e)
  • OpenSUSE 12.2 (OpenSSL 1.0.1c)

Operating system distribution with versions those are not vulnerable:

  • Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
  • SUSE Linux Enterprise Server
  • FreeBSD 8.4 – OpenSSL 0.9.8y 5 Feb 2013
  • FreeBSD 9.2 – OpenSSL 0.9.8y 5 Feb 2013
  • FreeBSD 10.0p1 – OpenSSL 1.0.1g (At 8 Apr 18:27:46 2014 UTC)
  • FreeBSD Ports – OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)

What about Mac and iOS Users?

As per AskDifferent,

“No versions of OS X are affected (nor is iOS affected). Only installing a third party app or modification would result in a Mac or OS X program having that vulnerability / bug in OpenSSL version 1.0.x

Apple deprecated OpenSSL on OS X in December of 2012 if not earlier. No version of OpenSSL that is vulnerable to the Heartbleed Bug”

So iOS and Mac uses don’t have to worry about the HeartBleed bug, as apple is not using OpenSSL in iOS.

Solutions to Prevent

  • Upgrade your OpenSSL 1.0.1g.
  • Recreate your secret keys
  • Ask your users to change the password for their accounts
  • Disable Heartbeat from your Present Installed SSL
  • Upgrade your OpenSSL on Ubuntu 13.10, Ubuntu 12.10 and Ubuntu 12.04 LTS.

To update your system on Ubuntu, please follow these instructions at, https://wiki.ubuntu.com/Security/Upgrades.

“Hope this helps you to fix the HeartBleed Bug”

Leave a reply