升级OpenSSL 修复Heartbleed安全bug(CVE-2014-0160)

Web 1 Minute

heartbleed

问题描述:OpenSSL处理TLS和DTLS心跳扩展包时有信息泄漏缺陷。TLS或DTLS客户端或服务器,可以通过发送特殊制造的TLS或DTLS心跳包,来透视连接的客户端或服务器限制访问的可能包含敏感信息的内存。
解决方法:升级 openssl,使用 Heartbleed 探测工具【1】【2】重新扫描系统,确保安全。
  • RHEL7 beta: openssl-1.0.1e-16.el6_5.7
  • RHEL6: openssl-1.0.1e-34.el7
  • Fedora: openssl-1.0.1e-37.fc20.1.x86_64

【1】https://access.redhat.com/site/labsinfo/heartbleed
【2】https://github.com/gavin-romig-koch/heartbleed

From: http://www.openssl.org/news/secadv_20140407.txt
OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.
# rpm -qi openssl --changelog
....
* Mon Apr 07 2014 Dennis Gilmore <dennis@ausil.us> - 1.0.1e-37.1
- pull in upstream patch for CVE-2014-0160
- removed CHANGES file portion from patch for expediency

[amos@amosk tmp]$ python heartbleed-poc.py amosk.info
Scanning amosk.info on port 443
Connecting...
Sending Client Hello...
Waiting for Server Hello...
 ... received message: type = 22, ver = 0302, length = 66
Message Type is 0x02
 ... received message: type = 22, ver = 0302, length = 2555
Message Type is 0x0B
 ... received message: type = 22, ver = 0302, length = 331
Message Type is 0x0C
 ... received message: type = 22, ver = 0302, length = 4
Message Type is 0x0E
Server sent server hello done
Server TLS version was 1.2

Sending heartbeat request...
No heartbeat response received from amosk.info, server likely not vulnerable

Published by Amos

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.