Heartbleed OpenSSL bug

2014, April 9th

What is the Heartbleed Bug?

The Heartbleed is a critical bug in the OpenSSL library. The vulnerability has been published 7th of April 2014. It allows stealing of information normally protected by the SSL/TLS encryption. SSL/TLS provides secure and private communication over the Internet via websites, email, IM, and VPNs. An attacker can exploit Heartbleed to get copies of fragments of a server memory including digital keys and then use that to impersonate servers or to decrypt traffic.

What to do?

OpenSSL is prevalent so many systems must be upgraded. The vulnerable versions are OpenSSL 1.0.1 to OpenSSL 1.0.1f inclusive. You can check OpenSSL version from command line:

openssl version

Version 0.9.8 is not affected and does not need the upgrade

In order to apply the fix OpenSSL must be upgraded to version 1.0.1g. On Debian based systems usually it's enough to do:

sudo apt-get update
sudo apt-get upgrade

However it does not work on systems that are no longer supported like Ubuntu 13.04.

In such case you can use the compiled OpenSSL package prepared by SecurityKISS and available on Github. In order to apply the fix on Debian based systems like Linux Mint or Ubuntu please issue the following command:

wget -N https://github.com/skrepo/deb/raw/master/openssl-1.0.1g-`uname -m`.deb && sudo dpkg -i openssl-1.0.1g-`uname -m`.deb

and reboot the system.

SecurityKISS servers

We upgraded OpenSSL on a few dozens of servers in order to address this critical vulnerability so currently all servers are running either with OpenSSL 0.9.8 or 1.0.1g.

The upgrade required reboot so some existing VPN connections could have been abruptly terminated and restored after about 1 minute.