Heartbleed bug: What you need to know

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure it.

You are likely affected if you configured and run an SSL-enabled website, meaning that you can access it using the https:// prefix instead of http://. You will need to patch the libraries in your system and replace the certificates and keys that may have been compromised. Please notice that remote access using ssh is NOT affected.

OpenSSL versions from 1.0.1 through 1.0.1f (inclusive) are vulnerable and make it possible to steal information, including everything from the encrypted content and to the secret key used for the encryption. The attack is also indetectable.

This security issue has been described in detail on the following page:
http://heartbleed.com/

How about operating systems?

Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:

• Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4

• Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11

• CentOS 6.5, OpenSSL 1.0.1e-15

• Fedora 18, OpenSSL 1.0.1e-4

• OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)

• FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013

• NetBSD 5.0.2 (OpenSSL 1.0.1e)

• OpenSUSE 12.2 (OpenSSL 1.0.1c)

Operating system distribution with versions that are not vulnerable:

• Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14

• SUSE Linux Enterprise Server

• FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013

• FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013

• FreeBSD 10.0p1 - OpenSSL 1.0.1g (At 8 Apr 18:27:46 2014 UTC)

• FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)

Detect if your machine is vulnerable.

If you are running a web server with SSL enabled, you can test whether it is vulnerable with this tool:

http://filippo.io/Heartbleed/

Alternatively, to detect if your machine is vulnerable to this bug, please log into your servers and check the OpenSSL version by executing the  below command:

openssl version -a

If the version in the output is greater or equal to "1.0.1" and lower or equal to "1.0.1f ", you may be affected. An example of an affected version would be:

$> openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Wed Jan  8 20:45:51 UTC 2014
platform: debian-amd64

Please note the version mentioned: "1.0.1", which is in the range of affected versions. Another detail to check is the "built on" information:

$> openssl version -a
...
built on: Wed Jan  8 20:45:51 UTC 2014
...

Some Linux distributions have provided security patches that fix the vulnerability without upgrading OpenSSL. The "built on:" date should be newer or equal to April 2014 to consider it updated. An example of patched OpenSSL version would be:

/usr/bin/openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr  7 20:33:29 UTC 2014
platform: debian-amd64

Where the OpenSSL is in the vulnerable range but it was patched on April 2014:

Another non-vulnerable version (this one, easier to identify) will look like:

openssl version -a
OpenSSL 1.0.1g 7 Apr 2014
built on: Tue Apr  8 09:07:07 CEST 2014
platform: linux-x86_64

Where the version is greater than "1.0.1f", so it is safe. It also shows it was updated in April 2014. This is the output you will get if you use our patch installer to update your SSL version

Update the system OpenSSL version

The procedure to update the system OpenSSL package will depend on you Linux distribution:

 apt-based systems: Ubuntu, Debian...

sudo apt-get update
sudo apt-get install -y libssl1.0.0 openssl

And then check that the version was updated (or patched, with a recent "built on" date):

/usr/bin/openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr  7 20:33:29 UTC 2014
...

You will also need to restart any service using libssl. To check the list of those services, you could use the below command:

sudo lsof -n | grep ssl | grep DEL
vsftpd     479   root  DEL  REG     202,1         394910 /lib/x86_64-linux-gnu/libssl.so.1.0.0
monit     1254   root  DEL  REG     202,1         394910 /lib/x86_64-linux-gnu/libssl.so.1.0.0

And then restart the services (depending on your specific system):

sudo /etc/init.d/monit restart
sudo /etc/init.d/vsftpd restart

yum-base systems: RedHat, CentOS, Fedora...

sudo yum -y update openssl

And then check that the version was updated (or patched, with a recent "built on" date):

/usr/bin/openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr  7 20:33:29 UTC 2014
...

You will also need to restart any service using libssl. To check the list of those services, you could use the below command:

sudo lsof -n | grep ssl | grep DEL
vsftpd     479   root  DEL  REG     202,1         394910 /lib/x86_64-linux-gnu/libssl.so.1.0.0
monit     1254   root  DEL  REG     202,1         394910 /lib/x86_64-linux-gnu/libssl.so.1.0.0

And then restart the services (depending on your specific system):

sudo /etc/init.d/monit restart
sudo /etc/init.d/vsftpd restart

Next Steps

First, after apllying the patches above, double-check whether your web site is ok now using this tool:

http://filippo.io/Heartbleed

The vulnerability allows an attacker to steal you private keys, which would allow it to decrypt any information, as well as impersonating your server so it is advised to revoke the compromised keys and reissuing and redistributing new ones.

This is only necessary if you already configured HTTPS with your own certificate. In this case regenerate new certificates and configure them again in your server.