Update and Patch OpenSSL on Ubuntu for the CCS Injection Vulnerability

What is OpenSSL?

OpenSSL is a common cryptographic library which provides encryption, specifically SSL/TLS, for popular applications such as Apache (web), MySQL (database), e-mail, virtual private networks (VPNs), and more.


What is “the CCS Injection Vulnerability”?


The ChangeCipherSpec (CCS) Injection Vulnerability is a moderately severe vulnerability in OpenSSL, known formally as “SSL/TLS MITM vulnerability (CVE-2014-0224)“. As of June 05, 2014, a security advisory was released by OpenSSL.org, along with versions of OpenSSL that fix this vulnerability.

What are the risks?

This vulnerability is likely not as severe as the Heartbleed Bug. In some circumstances, this flaw allows an attacker to conduct a man-in-the-middle attack on servers running vulnerable versions of OpenSSL. The attacker would be required to intercept and alter network traffic, and do so in real time, to exploit the flaw; in that case, the attacker could potentially view and/or modify the otherwise secured traffic.


What should you do?
  • Update OpenSSL and reboot your server immediately.
  • After the server has been rebooted, change all passwords associated with the server.

Pre-Flight Check
  • These instructions are intended for patching OpenSSL on Ubuntu 12.04 against the “SSL/TLS MITM vulnerability (CVE-2014-0224)“.

Pre-Update Verification

You can check the local changelog to verify whether or not OpenSSL is patched against the vulnerability with the following command:

apt-get changelog openssl | grep CVE-2014-0224


If a result is not returned, then you must patch OpenSSL.

Installation

It’s a matter of just running one command for installation via apt-get:

apt-get install openssl libssl-dev


You should receive output similar to the following:

--> Running transaction check
---> Package openssl-devel.x86_64 0:1.0.1e-16.el6_5.7 will be updated
---> Package openssl-devel.x86_64 0:1.0.1e-16.el6_5.14 will be an update
--> Finished Dependency Resolution


You’ll be asked to confirm the download and installation; simply enter y to confirm. Once this command is complete, OpenSSL will be installed and updated.


Post-Update Verification

Again, just as in the Pre-Update Verification step, we’ll check the local changelog to verify whether or not OpenSSL is patched against the vulnerability:

apt-get changelog openssl | grep CVE-2014-0224


If your version of OpenSSL is now patched, then you’ll receive a result similar to:

- debian/patches/CVE-2014-0224-1.patch: only accept change cipher spec
- debian/patches/CVE-2014-0224-2.patch: don't accept zero length master
- debian/patches/CVE-2014-0224-3.patch: allow CCS after resumption in
- CVE-2014-0224


It is also possible to verify the OpenSSL version with the following command:

openssl version -a


If your version of OpenSSL is now patched, then you’ll receive a result similar to:

OpenSSL 1.0.1 14 Mar 2012
built on: Mon Jun 2 19:37:18 UTC 2014


…with a date of Mon Jun 2 19:37:18 UTC 2014 or newer.


Critical: Restart Services or Reboot


At this point, all services using libssl MUST be restarted to complete the patching process. Or, it’s probably simpler and cleaner to just reboot the server. View a list of services using libssl with the following command:

lsof | grep -i libssl | grep DEL | awk '{print $1}' | sort | uniq


To reboot your server use the following command:

reboot now

  • 45 Users Found This Useful
Was this answer helpful?

Related Articles

How to Completely Disable Automatic Background Updates for WordPress

The following process works with all WordPress versions after version 3.7. Alas, turning off...

How to Install the Open Query Graph engine (OQGRAPH) for MariaDB 10.0 on CentOS 6

MariaDB is a drop-in replacement for MySQL. It is easy to install, offers many speed and...

How To Install Apache Tomcat 7 on Ubuntu 14.04

Step 1a: Install Tomcat with apt-get Easy… just one command! apt-get install tomcat7...

Backup Your WordPress Database with WP-CLI

In this article you will learn how to backup your WordPress database using the wp-cli tool....

How to Install and Configure phpMyAdmin on Fedora 20

Step 1: Install phpMyAdmin First, you’ll follow a simple best practice: ensuring the list of...

Powered by WHMCompleteSolution