Patched servers remain vulnerable to hearty OpenSSL

If an attacker has already taken advantage of the Heartbleed bug to steal your SSL private keys, they can continue to decrypt all past and future traffic even after the vulnerability is patched.

a security vulnerability in OpenSSL called the Heartbleed Bug (CVE-2014-0160) have got it. This vulnerability has been open for exploitation for almost 2 years but was discovered only recently. The bug was introduced into OpenSSL in December 2011 and has been out in the wild since the release of OpenSSL 1.0. OpenSSL 1.0.1g, released on April 7, 2014, fixes a bug. Using Heartbleed, an attacker can read arbitrary chunks of server memory containing private keys, sensitive login credentials, and other encrypted communications.

Check if Patched Heartbleed OpenSSL is Installed

Most of the servers will already be patched. If you compiled OpenSSL from source you will have to update manually or compile again with option -DOPENSSL_NO_HEARTBEATS.

You can check if your CentOS/RHEL server is already updated by running this command from the shell:

rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160

It should return:

* Mon Apr 07 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension

For Ubuntu//Debian, you can check the installed version of openssl using:

openssl version -a

— OpenSSL 1.0.1 to 1.0.1f are vulnerable
— OpenSSL 1.0.1g is not insecure
— OpenSSL 1.0.0 branch is not vulnerable
— OpenSSL 0.9.8 branch is not vulnerable

It will only tell you that the patch was installed automatically. However, when you test to verify that the vulnerability has been closed, it will most likely fail. There is now an easy way to test this service using: filippo.io/Heartbleed/ (The test won’t work if you’re behind Cloudflare). You will notice that the test will fail even with the patch installed on multiple servers.

It’s not enough to patch a Heartbleed vulnerability!

Some of the fixes I’ve seen on the web only suggest that the patch is all that’s needed. But it is not, it is far from it. The servers I’ve worked on so far have either required a manual restart of the respective services, or required a full reboot. Also, if an attacker has already taken advantage of the Heartbleed bug to steal your SSL private keys They can continue to decrypt all past and future traffic, even if the vulnerability is patched – by using existing stolen keys, This means that in order to truly secure your server, you will need to regenerate new private keys and passwords.

If you notice that your server is still open to the Heartbleed exploit, even though the patch shows up as installed, you will need to restart the relevant services (eg restart cPanel, apache, nginx, etc.) at a time After pressing for , I have rebooted the server, after which they have passed the test.

Many blogs are adding updates to force the need to restart or reboot services and regenerate the private key. Companies are also sending additional communications. Some have sent 3 follow-up emails on Heartbleed. for example, turnkey This was sent via email a while back: “… installations are configured to automatically install security updates. Unfortunately, installing updates is not enough.” Some will realize in the coming days that the vulnerability was not really stopped with just patching.

Leave a Comment