“Heartbleed” The New Terror

The Heartbleed

Security researchers have discovered a serious vulnerability in OpenSSL, the cryptographic software library that encrypts and protects many web sites data.

The Heartbleed bug – so called because it exploits a failure in an extension called heartbeat – not only lets attackers read the confidential encrypted data; it also allows them to take the encryption keys used to secure the data. That means that even servers which fix the bug, using a patch supplied by OpenSSL, must also update all their keys or risk remaining vulnerable.

What it do?

Heartbeat allows a connected Web client or application to send messages to keep a connection active during a transfer of data. When a Heartbeat message is received, the server usually simply echoes back what it got to the sender.

To Secure Your Server Against the Heartbleed Vulnerability

1. Edit the file /etc/yum.repos.d/CentOS-Base.repo, and change the following highlighted lines:

   #released updates
   [updates]
   name=CentOS-$releasever - Updates
   mirrorlist=http://s2plmirror01.prod.sdl2.secureserver.net/download/mirrors/cos-$releasever-updates.$basearch
   failovermethod=priority
   #baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
   gpgcheck=1
   gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

   to

   #released updates
   [updates]
   name=CentOS-$releasever - Updates
   #mirrorlist=http://s2plmirror01.prod.sdl2.secureserver.net/download/mirrors/cos-$releasever-updates.$basearch
   failovermethod=priority
   baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
   gpgcheck=1
   gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

2. Clean the yum repositories on the server by running the following command:

   yum clean all

3. Update OpenSSL on the server by running the following command:

   yum update openssl

   This installs version openssl-1.0.1e-16.el6_5.7.

4. Confirm the update was installed successfully by running the following command:

   openssl version -a

   The output will display the following:

   'built on: Tue Apr 8 02:39:29 UTC 2014'

   Additionally the fix can be confirmed that it is in place by running the following command:

   rpm -q --changelog openssl | head

   The first few lines will show the following:

   'fix CVE-2014-0160 - information disclosure in TLS heartbeat extension'

5. Restart Apache or any other web server which is currently installed on the server, this will allow the new version of Open SSL to be used.
6. Edit the file /etc/yum.repos.d/CentOS-Base.repo, and change the following highlighted lines to revert it to the original version:

   #released updates
   [updates]
   name=CentOS-$releasever - Updates
   #mirrorlist=http://s2plmirror01.prod.sdl2.secureserver.net/download/mirrors/cos-$releasever-updates.$basearch
   failovermethod=priority
   baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
   gpgcheck=1
   gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5

   to

   #released updates
   [updates]
   name=CentOS-$releasever - Updates
   mirrorlist=http://s2plmirror01.prod.sdl2.secureserver.net/download/mirrors/cos-$releasever-updates.$basearch
   failovermethod=priority
   #baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
   gpgcheck=1
   gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
   
   

7. Re-key any SSLs your server uses.