Softaculous

Topic : Heartbleed Vulnerability


Posted By: mark012492 on April 8, 2014, 6:20 pm
Will you be releasing an update for the openssl app to address the heartbleed vulnerability or do I need to compile from source?


rhn.redhat.com/errata/RHSA-2014-0376.html
heartbleed.com
www.openssl.org/news/secadv_20140407.txt
www.spinics.net/lists/centos-announce/msg04911.html


Posted By: divij on April 9, 2014, 6:01 am | Post: 1
Hi,

Sir we have launch the new version of oppenssl.

Please open a support ticket with your server root detail we will install it on your server.

Posted By: mark012492 on April 9, 2014, 10:24 am | Post: 2
As I currently have quite a few servers could you please post a wiki or instructions on how to do it so I can push it out to all of them.

Regards,

Posted By: teyhouse on April 9, 2014, 1:30 pm | Post: 3
I managed to fix it my self. I tested everything with the last OpenSSL-Binary and it worked very well:

Just download the latest OpenSSL-Files:
http://slproweb.com/download/Win32OpenSSL_Light-1_0_1g.exe

Extract them to a place of your choice and copy and replace the libeay32.dll, libssl32.dll and ssleay32.dll from the mainfolder (the place you extracted your files to) and all the files within the bin- folder to the ampps apache/bin folder. Restart ampps and everything is "secure" - by whatever this means to you :-D

Posted By: mark012492 on April 9, 2014, 1:36 pm | Post: 4
Hey, thanks for update and I hope that any windows users benefit however I am running centOS so that does not apply.



Posted By: teyhouse on April 9, 2014, 1:50 pm | Post: 5
Even if you are running centOS - replacing the OpenSSL-Binarys should work for you.

Posted By: peopleinside on April 9, 2014, 5:59 pm | Post: 6
OpenSSL new version will be installed with the next update or i have to open a support ticket?


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.

Posted By: valley on April 11, 2014, 10:46 am | Post: 7
Follow this guide for the FIX
http://www.webuzo.com/blog/how-to/heartbleed-vulnerability-fix-on-webuzo-2654.html


-----------------------
Webuzo : Single User Control Panel
Join Webuzo :
Facebook
Twitter


Posted By: mark012492 on April 11, 2014, 1:57 pm | Post: 8
Excellent. Verified that it works. Thank you.

Posted By: valley on April 11, 2014, 2:51 pm | Post: 9
Glad to learn that it worked for you !!!

-----------------------
Webuzo : Single User Control Panel
Join Webuzo :
Facebook
Twitter


Posted By: optsoft on April 20, 2014, 11:33 am | Post: 10
Background:

If I understood Heartbleed correctly, there was a pointer assignment without a bounds check in the C source code of the heartbeat extension to OpenSSL, leading to a buffer overflow attack wherein a correctly crafted heartbeat request would make a vulnerable server dump upto 64k blocks of RAM with no checks on whether that 64k block crosses over into RAM areas of other apps.

This means HB allows an attacker to slowly read the RAM contents of the server.

This means the following are possibly compromised (assuming worst case):
1. unix usernames - so if you made any smart username to get some additional security, that's gone. Not only that if /etc/passwd is read, then all additional users by and for OS services are also exposed.
2. unix password hash - depending on how good the attacker is at reversing / matching hashes, your password is gone. If there is an area in RAM (timing is important) that your password is being compared with the hash (you are logging in) then your password is in plaintext - for computing the hash to compare with the stored one.
3. SSL certificates, private keys - this is the real blow.
The attacked does nothing, just reads your certs and keys and henceforth copies all encrypted traffic between you and the server, and puts a couple of servers to the task of decrypting your entire traffic. In maybe 10MB of traffic that you cause in one session logged in to any secure app, at 2-3 locations passwords will be moved around. This is what he is looking for.
Slowly, he builds a database of all your information.
Attacker does this for every server that is HB vulnerable and attacks communication and all users of all such servers.
Now he has a huge DB of private info to sell. He may also sell the certs and keys on the darknet.

Effectively, you as a user, and worse, as a server administrator, have no idea how much data has been slowly accumulated by some random node on the internet between you and the server. Or if you are not paying attention to your logs, maybe someone has logged in and read everything.
And you wont know a thing about it.

Question:

The most worrying part is that your certificates and keys that you use, thinking that you have patched the HB vulnerability are still known to the attacker.

So any Heartbleed vulnerable server is not cleaned up until every password of every user is changed AFTER every SSL key and SSL cert is revoked and reissued. Am i right?

I deleted and re-issued all my Apache SSL keys and certs.

However, I am unable to delete and re-issue the control panel certificate. Please instruct as to how that is done. I changed all certs and keys from IP to primary domain to all addon domains.
But the SSL cert I get on the control ports has not changed.

I guess this is the cert with webuzo's nginx and it might have a separate location from certs for the web server?

Thanks in advance.
optsoft

Powered By AEF 1.0.8 © 2007-2008 Electron Inc.