How to find out if your server is affected from Openssl Heartbleed vulnerability (CVE-2014-0160) and how to fix that
A severe vulnerability in OpenSSL has been found, the vulnerability is named Heartbleed and affects the heartbeat implementation in OpenSSL version 1.0.1 up to version 1.0.1f. This vulnerability can be used to get the private key of an SSL connection, so it is important to update the server immediately. The bug is fixed in OpenSSL 1.0.1g. All Major Linux Distributions have released updates to the vulnerability.
Find out if your server is affected
Run the command:
openssl version
to get the version number of OpenSSL. If the command shows e.g.:
openssl version
OpenSSL 1.0.1e 11 Feb 2013
then your server might be vulnerable as the version is below 1.0.1g. But some Linux distributions patch packages, see below for instructions to find out if the package on your server has been patched.
If your server uses a 0.9.8 release like it is used on Debian squeeze, then the server is not vulnerable as the heartbeat function has been implemented in OpenSSL 1.0.1 and later versions only.
openssl version
OpenSSL 0.9.8o 01 Jun 2010
Fix the vulnerability
To fix the vulnerability, install the latest updates for your server.
Debian
apt-get update
apt-get upgrade
Ubuntu
apt-get update
apt-get upgrade
Fedora and CentOS
yum update
OpenSuSE
zypper update
Then restart all services that use OpenSSL. On an ISPConfig 3 server, restart e.g. these services (when they are installed): sshd, apache, Nginx, postfix, dovecot, courier, pure-ftpd, bind and MySQL. If you want to be absolutely sure that you did not miss a service, then restart the whole server by running "reboot" on the shell.
Check if the Linux update installed the correct package
After you installed the Linux updates, check if the openssl package has been upgraded correctly. Some Linux distributions
patch packages, so "openssl version" does not always show whether the correct patch that fixes the vulnerability has been installed.
Check the package on Debian and Ubuntu:
dpkg-query -l 'openssl'
Here the output for a correctly patched Debian 7 (Wheezy) server:
dpkg-query -l 'openssl'
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===================-===============-==============-============================================
ii openssl 1.0.1e-2+deb7u5 amd64 Secure Socket Layer (SSL) binary and related
For Fedora and CentOS, use this command to find the installed package name:
rpm -qa | grep openssl
Here are the links with the release notes that contain the package names of the fixed versions:
Debian: http://www.debian.org/security/2014/dsa-2896
Ubuntu: http://www.ubuntu.com/usn/usn-2165-1/
Fedora: https://lists.fedoraproject.org/pipermail/announce/2014-April/003206.html
CentOS: http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html
As an alternative, install the latest OpenSSL from source.
Test
There is now a test available to verify if you successfully closed the security hole in your Server. The test can be found here:
Q&A on this Topic in the howtoforge forum
Questions and answers on this topic in the howtoforge forum:
https://www.howtoforge.com/forums/showthread.php?t=65498
