OpenSSL Heartbleed Vulnerability Guide

What can be stolen by attacker

Private key of the TLS server, private key of the TLS client (if the client is vulnerable), cookies, logins, passwords and any other data that are shared between the server and his clients. And you don’t need to monitor the communication path, you just can send a specially formed batch and this can not be detected in server’s logs.

Vulnerability is bidirectional: if a vulnerable client connects up with attacker’s server, he can read the client’s activity memory. Example of vulnerable clients: MariaDB, wget, curl, git, nginx (in proxi mode)

How to test OpenSSL Heartbleed Vulnerability

Web-services:
— filippo.io/Heartbleed/
— www.ssllabs.com/ssltest/
— rehmann.co/projects/heartbeat/
— possible.lv/tools/hb/
Test for the client: reverseheartbleed.com
Script at Python: gist.github.com/sh1n0b1/10100394, gist.github.com/mitsuhiko/10130454
Script at Go: github.com/titanous/heartbleeder
Statistics of the sites: gist.github.com/dberkholz/10169691

What is affected by Heartbleed Vulnerability

— Vulnerable are OpenSSL 1.0.1 — 1.0.1f, 1.0.2-beta1, vulnerability fixed in OpenSSL 1.0.1g и 1.0.2-beta2 (secadv).
— OpenVPN, includes for Windows — fixed in version I004 (download)
— Any programs that are statistically linked with vulnerable version of OpenSSL.
— Tor (blog).

— Debian Wheezy (stable) — fixed in OpenSSL 1.0.1e-2+deb7u5 and 1.0.1e-2+deb7u6 (security)
— Ubuntu 12.04.4 LTS — fixed in OpenSSL 1.0.1-4ubuntu5.12 (USN)
— CentOS 6.5 — fixed in openssl-1.0.1e-16.el6_5.7 (centos-announce)
— Redhat 6.5 — fixed in openssl-1.0.1e-16.el6_5.7 (solutions, errata, bugzilla)
— Fedora 19 и 20 — fixed in openssl-1.0.1e-37 (announce)
— Gentoo — fixed in openssl-1.0.1g (GLSA)
— Slackware 14.0 и 14.1 — fixed in openssl-1.0.1g (slackware-security)
— OpenSUSE 12.3 и 13.1 — fixed in openssl-1.0.1e (opensuse-security-announce)
— FreeBSD 10.0 — fixed in 10.0-RELEASE-p1 (advisories)
— OpenBSD 5.3 и 5.4 (patch)
— NetBSD 5.0.2
— Amazon — fixed in OpenSSL 1.0.1e-37.66 (security-bulletins)
— Android 4.1.1 — other versions with no vulnerability.

The following usually depend on the vulnerable library and need a restart:
— Web-servers: Nginx, Apache, e-mail servers: Postfix, Dovecot, Jabber and other IM: ejabberd,
— MySQL, if TLS is used for authorization and it depends: в CentOS, RedHat (including Remi), Percona Server (blog).

What is not affected by Heartbleed Vulnerability

— Windows (no OpenSSL), MacOS (old version of OpenSSL), Firefox, Thunderbird (NSS is used by default), Chrome/Chromium (NSS is used by default), Android (heartbeat disabled).
— Root and intermediate certificates with the help of which keys of the TLS server are signed. (there are no private keys for them on the server)
— OpenSSH (uses OpenSSL for keys generation only)
— OpenVPN, if it uses statistic keys (not x509) or if uses in config of the «tls-auth ta.key 1» type.
— Method of renews advancing for Unix-like ОС (GnuPG is most commonly used for signature).

How to update the system

Debian, Ubuntu

# aptitude update
# aptitude -VR full-upgrade

After that restart services that use TLS. Renews setter will offer an automatic restart, or you can do it manually:

# service nginx restart
# service apache2 restart

The full list of services that need restart and can be vulnerable:

# lsof -n | grep -iE 'del.*(libssl\.so|libcrypto\.so)'
or
# checkrestart

If you are not sure, it’s preferable to restart the server.
Version check-out:

# dpkg -l | grep -i openssl
# aptitude changelog openssl

CentOS, RedHat, Fedora

# yum update

After that restart the services that use TLS, for example:

# service nginx restart
# service httpd restart

The full list of services that need restart and can be vulnerable:

# lsof -n | grep -iE 'del.*(libssl\.so|libcrypto\.so)'
or
# needs-restarting

If you are not sure, it’s preferable to restart the server.
Version check-out:

# yum list openssl
# rpm -q --changelog openssl

FreeBSD

# freebsd-update fetch
# freebsd-update install

After that restart the services that use TLS, for example:

# service nginx restart
# service apache22 restart

If you are not sure, it’s preferable to restart the server.
Version check-out:

# freebsd-version

TLS keys recall and passwords reset

— If attacker managed to collect a private key in full, he can use it for a mimic web-site creation or deciphering the intercepted sessions. That’s why it is recommended to recall certificates, the keys for which could fall into attacker’s hands.
— If the clients’ browser passed passwords for the web-site without hash+salt, just as they are, these passwords can also be compromised.

For future reference

— You should make sure that the browser checks whether the visited website certificate is not recalled.
Firefox checks on default OSCP, and the latest versions also support OCSP Stapling; Safari checks on default starting from version Mac OS X 10.7 (Lion); Chrome doesn’t check on default (in settings part HTTPS/SSL ), OCSP Stapling isn’t supported; Internet Explorer checks on default OSCP, but doesn’t support OCSP Stapling; Opera проверяет OSCP checks on default. Settings of different browsers.

— It is preferable to switch on Perfect forward secrecy (PFS) on the server. In this case even compromising the private key attacker won’t be able to decipher the previously of further intercepted traffic. For that you should switch on Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) или Diffie-Hellman Ephemeral (DHE). Server side TLS, testing.