CVE-2014-0160, better known as the Heartbleed bug, it a critical, easily exploited, and widespread bug in the OpenSSL library that powers many HTTPS implementations around the world.
It is a memory leak exploit that can be used to potentially expose server keys, and any amount of other private information, so, it’s hard to stress exactly how important it is that you patch your servers now!
Because it may help others, here’s what I did:
Diagnosis
First step is to confirm that your servers are vulnerable. The vulnerability exists in OpenSSL libraries newer than 0.9.8 and persists until fixed in 1.0.1g. This means it is present in both Debian stable and Ubuntu systems, among others.
You can confirm whether your systems are vulnerable with this handy python program (mirror on gist), written by Jared Stafford, which attempts to exploit this bug.
Fixing
- Debian and Ubuntu users should
apt-get update; apt-get upgrade
as soon as possible, since the security team has already patched the vulnerability. Other distros are likely to do the same, and I wouldn’t be surprised if patches were already released. - If your distro hasn’t patched yet, or you’ve compiled your own code, you should update to 1.0.1g now, or recompile your current OpenSSL binary with the
-DOPENSSL_NO_HEARTBEATS.
option set.
Thankfully, I run Debian, so my fix was easy. However, it is important to highlight that after updating the library you must RESTART any services that make use of it, notably Apache in my case.
This seems obvious, but until you do this your server is still vulnerable, so it’s worth underlining, and it caught me out!
Verification
Finally, it is important to verify your fix (how I spotted the restart requirement!). Use the same python tool above, and you should see something like:
marcus@dushka:~$ python ssltest.py marcus-povey.co.uk Connecting... Sending Client Hello... Waiting for Server Hello... ... received message: type = 22, ver = 0302, length = 58 ... received message: type = 22, ver = 0302, length = 3527 ... received message: type = 22, ver = 0302, length = 781 ... received message: type = 22, ver = 0302, length = 4 Sending heartbeat request... Unexpected EOF receiving record header - server closed connection No heartbeat response received, server likely not vulnerable
Happy patching!
Update: seems that lots of people must be after that python script, as we seem to have killed the poor guy’s server. I’ve stuck a copy of it on Gist, hopefully Jared won’t mind!
@mapkyca is it not 1.0.1 – 1.0.1f so your old 0.9.8 are OK*. To degrees OK okness on something that old.
@carpenterjc Indeed, of course old versions are vulnerable to a bunch of other issues so you should still upgrade.
likes this.
As Bruce Schneier points out here (https://www.schneier.com/blog/archives/2014/04/heartbleed.html), you need to regenerate your server keys and re-issue any SSL certificates you have, as well as changing all your passwords.
Except the most recent version of Desktop Central (build 90000), no other ManageEngine product is vulnerable to the Heartbleed bug.
By now, you’ve probably been swamped by numerous advisories from various vendors on the ‘Heartbleed bug,’ and now, here comes one from ManageEngine. However, you can take heart: all but one of our products are immune to the Heartbleed bug. Except the most recent version of Desktop Central build 90000, no other ManageEngine product is vulnerable.
The Heartbleed bug, the flaw in OpenSSL’s TLS implementation, is perhaps the biggest vulnerability in Internet history and has sent panic waves throughout IT and consumer communities alike. Naturally, you should be concerned, and we want to reassure you. To that end, here are the details.
ManageEngine products are not vulnerable to the Heartbleed bug because:
ManageEngine products do not use OpenSSL libraries. At the most, some products come with SSL certificates generated using OpenSSL. The Heartbleed bug only affects TLS connections that enable Heartbeats, not other parts of OpenSSL such as key generation, certificate signing, generating digests, random bytes generation, etc.
The underlying modules of our products use Tomcat web servers where BIO and NIO connectors are used. These connectors use JSSE SSL whereas the APR/native connector uses OpenSSL. Our products’ underlying modules do not use the APR/native connector.
Bottom line, you need not worry about the security of the data you store in ManageEngine products.
Heartbleed and ManageEngine: A Quick Summary
At the risk of being redundant, we hereby confirm that — except the most recent version of Desktop Central (build 90000) — no other ManageEngine product is vulnerable to the Heartbleed bug. And in the case of Desktop Central, all prior versions are NOT vulnerable.
Advisory for Desktop Central v 90000 Users
Details: https://forums.manageengine.com/topic/heartbleed-vulnerability-desktop-central-security-advisory
Steps to fix the vulnerability: http://www.manageengine.com/products/desktop-central/heartbleed-fix.html?forum
Posts from Individual Products
Visit the ManageEngine PitStop forums to see the posts from various ManageEngine product teams and read about their perspectives on the Heartbleed bug.
General Information
If you are wondering what this Heartbleed bug is all about, this is for you:
It’s a bug in OpenSSL’s TLS implementation, a software library used to secure the transmission of private information. The bug is actually a memory leak exploit that can potentially lead to the exposure of server keys and could help hackers reach the private computer memory handled by OpenSSL, paving the way to the theft of private information. It is indeed a very serious vulnerability.
How to diagnose if your systems are vulnerable:
To diagnose if your systems are vulnerable to the Heartbleed bug, please refer to this external post.
How to fix systems that are vulnerable to Heartbleed:
If you find any of your systems vulnerable to the Heartbleed bug, the steps typically involved in fixing a system include:
Patching vulnerable systems with OpenSSL 1.0.1g
Regenerating new private keys
Submitting new CSR to your CA
Obtaining and install new signed certificate
Revoking old certificates
We reassure you that you are quite safe with ManageEngine and don’t need to worry about the Heartbleed bug. Regardless, if you would like any assistance or clarifications, please do write to our support teams.
Thanks,
Bala
You Can Learn More About the ManageEngine Product Line By Going to http://www.ManageEngine.ca
The original article/video can be found at Take Heart, ManageEngine Products Are Not Vulnerable to The Heartbleed Bug