Discussion – 


[Critical Secuirty Alert] CVE-2014-0160 – OpenSSL private key bug

Today there was news regarding an OpenSSL critical security advisory put out (CVE-2014-0160) that affects OpenSSL 1.0.1  This security bug allows a hacker to listen to your SSL encrypted session, capture the private key, stores it, and allows them time to decrypt the session and read it in plain text.

Due to the vulnerability affecting the heartbeat functionality, it has been dubbed “Heartbleed”.

As of this writing, patches are available in all major Linux distribution repositories. If you’re on a Debian based distribution, you can upgrade by running apt-get update followed by apt-get upgrade. On RHEL derivatives such as CentOS and Fedora, you’ll want to use yum update all or  simply type “yum -y update openssl” if you have root access.

Following the package upgrade we advise you to reboot your server to ensure that all services linking against libssl use the patched version.

The advice is to update to OpenSSL 1.0.1g immediately, and regenerate your private keys.

If it’s not possible to update to the latest version of OpenSSL, software developers are advised to recompile OpenSSL with the compile time option OPENSSL_NO_HEARTBEATS.

Which versions of OpenSSL are vulnerable?

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

To check the version of OpenSSL, at the command line, type “openssl version”.

Check with your vendors who uses a linux distro base with SSL to get an update if there is no root access if they are using OpenSSL 1.0.1 up to 1.0.1e.

Note that OpenSSH doesn’t use OpenSSL for TLS, only for key generation, so you thankfully don’t need to worry about your SSH keys.

Please check with your phone vendors and any system you use that has an SSL.

You May Also Like