How to fix the Heartbeat on CentOS

I had to patch/update a bunch of servers running CentOS.
This are the steps and some notes that I would like to share with the internet.

Lets check if our OpenSSL is bugged or clean!
This is how!

[root@stream4 ~]# rpm -q -a | grep "openssl" | grep CVE-2014-0160 

If we don’t get anything we, probably, aren’t protected…

I’v found a machine with openssl-1.0.0-27.el6_4.2 and openssl-1.0.0-fips.

RHEL 6.4 currently has openssl-1.0.0-27.el6_4.2 and is NOT vulnerable. As mentioned earlier in this flaw, only openssl-1.0.1 is vulnerable to this issue.

Both are save although they are kinda old versions…

Lets update our OpenSSL.

[root@stream4 ~]# yum update openssl
Updating:
 openssl x86_64 1.0.1e-16.el6_5.7 updates 1.5 M

When the system ask us if were are sure that we want to download it, we need to type y and enter!

Is this ok [y/N]: y

This is what we get at the end!

openssl-1.0.1e-16.el6_5.7.x86_64.rpm | 1.5 MB 00:00 
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
 Updating : openssl-1.0.1e-16.el6_5.7.x86_64 1/2 
 Cleanup : openssl-1.0.1e-16.el6_5.4.x86_64 2/2 
 Verifying : openssl-1.0.1e-16.el6_5.7.x86_64 1/2 
 Verifying : openssl-1.0.1e-16.el6_5.4.x86_64 2/2

 Updated:
 openssl.x86_64 0:1.0.1e-16.el6_5.7
 
Complete!

HOORAY!

Not lets re-check if our OpenSSL is patched agains heartbeat bug!

 [root@stream4 ~]# rpm -q --changelog openssl | grep CVE-2014-0160
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension

Nice! We got that feedback! We are now *safe*.
Lets check our OpenSSL version with openssl version -a.

[root@stream4 ~]# openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Tue Apr 8 02:39:29 UTC 2014
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines: dynamic

Now we MUST restart all services that use libssl.
How do we know witch service is using it?

[root@stream4 ~]# lsof | grep -i libssl | grep DEL | awk '{print $1}' | sort | uniq
-bash: lsof: command not found

*Outch!* lets install it lsof.

[root@stream4 ~]# yum install lsof

Okay! Lets try it again…

[root@stream4 ~]# lsof | grep -i libssl | grep DEL | awk '{print $1}' | sort | uniq
httpd
master
mysqld
pickup
qmgr
vsftpd

Nice!
Lets see what our openssl change log says to us…

rpm -q --changelog openssl | grep -iE 'security|cve|vuln'

Nice?
Okay lets restart the services OR! the reboot the server!

[root@stream4 ~]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[root@stream4 ~]# service mysqld restart
Stopping mysqld: [ OK ]
Starting mysqld: [ OK ]
[root@stream4 ~]# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]

I’v runned the lsof | grep -i libssl | grep DEL | awk ‘{print $1}’ | sort | uniq again and saw that vsftpd was still on the list… i had to stop and started the service… didn’t appear on it!

service vsftpd stop

and then

service vsftpd start

You might get other services!, like cpanel, nginx, pure-ftpd, RAID controllers etc…
The best and cleaner way its to REBOOT the server!

Change all your users passwords on the machine

After this we need to CHANGE ALL THE PASSWORDS on our server for a new ones and regenerate your certificates using a new private key.

How to get all the users on our machine?

awk -F":" '{ print "username: " $1 "\t\tuid:" $3 }' /etc/passwd

Edit your SSH KNOWN HOSTS on your local computer

Now on your Mac OS X edit your .ssh/known_hosts with something like….

nano /Users/__YOUR_USER__/.ssh/known_hosts

Search for the host/ip entry line and remove it, other ways you wont be able to login since the RSA key has changed!

MacBook-Pro-de-Paulo:.ssh PJunior$ ssh [email protected]
The authenticity of host '193.1XX.XXX.XX (193.1XX.XXX.XX)' can't be established.
RSA key fingerprint is 6e:8e:40:44:e4:38:e4:06:1e:51:ee:ee:ee:26:ee:80.
Are you sure you want to continue connecting (yes/no)?

Tools and usefull links

Test your server with this online tools

https://filippo.io/Heartbleed/
https://lastpass.com/heartbleed/

Usefull links

http://www.digitalwhores.net/linux/protect-your-server-against-the-heartbleed-openssl-vulnerability/
https://www.digitalocean.com/community/articles/how-to-protect-your-server-against-the-heartbleed-openssl-vulnerability
http://www.liquidweb.com/kb/update-and-patch-openssl-for-heartbleed-vulnerability/
http://vexxhost.com/blog/2014/04/09/how-to-mitigate-and-fix-openssl-heartbeat-on-centos-or-ubuntu/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.