升级OpenSSL 修复Heartbleed安全bug(CVE-2014-0160)

heartbleed

问题描述:OpenSSL处理TLS和DTLS心跳扩展包时有信息泄漏缺陷。TLS或DTLS客户端或服务器,可以通过发送特殊制造的TLS或DTLS心跳包,来透视连接的客户端或服务器限制访问的可能包含敏感信息的内存。
解决方法:升级 openssl,使用 Heartbleed 探测工具【1】【2】重新扫描系统,确保安全。
  • RHEL7 beta: openssl-1.0.1e-16.el6_5.7
  • RHEL6: openssl-1.0.1e-34.el7
  • Fedora: openssl-1.0.1e-37.fc20.1.x86_64

【1】https://access.redhat.com/site/labsinfo/heartbleed
【2】https://github.com/gavin-romig-koch/heartbleed

From: http://www.openssl.org/news/secadv_20140407.txt
OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.
# rpm -qi openssl --changelog
....
* Mon Apr 07 2014 Dennis Gilmore <dennis@ausil.us> - 1.0.1e-37.1
- pull in upstream patch for CVE-2014-0160
- removed CHANGES file portion from patch for expediency

[amos@amosk tmp]$ python heartbleed-poc.py amosk.info
Scanning amosk.info on port 443
Connecting...
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 66
Message Type is 0x02
 ... received message: type = 22, ver = 0302, length = 2555
Message Type is 0x0B
 ... received message: type = 22, ver = 0302, length = 331
Message Type is 0x0C
 ... received message: type = 22, ver = 0302, length = 4
Message Type is 0x0E
Server sent server hello done
Server TLS version was 1.2

Sending heartbeat request...
No heartbeat response received from amosk.info, server likely not vulnerable

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.