Patched Servers Remain Vulnerable to Heartbleed OpenSSL

Test your server for Heartbleed CVE 2014 0160

If an attacker has already exploited the Heartbleed bug to steal your SSL private keys they can continue to decrypt all past and future traffic even after the vulnerability has been patched.

A security vulnerability in OpenSSL called the Heartbleed bug (CVE-2014-0160) has been found. This vulnerability has been open for exploit for about 2 years but was only recently discovered. The bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug. By exploiting Heartbleed, an attacker can read arbitrary chunks of server memory containing private keys, sensitive login credentials and other encrypted communication.

Check if Heartbleed-Patched OpenSSL is installed

Most servers will be already patched. If you compiled OpenSSL from source you will have to manually update or re-compile with option -DOPENSSL_NO_HEARTBEATS.

You can check if your CentOS/RHEL server is already updated by running this command from shell:

rpm -q --changelog openssl-1.0.1e | grep -B 1 CVE-2014-0160

This should return:

* Mon Apr 07 2014 Tomáš Mráz <> 1.0.1e-16.7
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension

For Ubuntu//Debian, you can check installed version of Openssl using:

openssl version -a

— OpenSSL 1.0.1 through 1.0.1f are vulnerable
— OpenSSL 1.0.1g is NOT vulnerable
— OpenSSL 1.0.0 branch is NOT vulnerable
— OpenSSL 0.9.8 branch is NOT vulnerable

This will only tell you that the patch was installed automatically. However, when you test to verify that the vulnerability has been closed, it will probably fail. There’s now an easier way to test using this service: (if you are behind Cloudflare the test won’t work). You’ll notice that even with the patch installed on many server the test will still fail.

Patching Heartbleed Vulnerability is not enough!

Some fixes I’ve seen around the web simply state that the patch is all that’s needed. But this isn’t the case, far from it. So far on every server I’ve worked on, a manual restart of related services is also required, or full reboot. In addition to that, if an attacker has already exploited the Heartbleed bug to steal your SSL private keys they can continue to decrypt all past and future traffic even after the vulnerability has been patched – using the existing stolen keys. This means that to truly secure your servers, you’ll need to regenerate new private keys and passwords.

If you notice that your server is still open to the Heartbleed exploit even though the patch shows as installed you’ll need to restart corresponding services (eg. restart cPanel, apache, nginx, etc.) Being pressed for time, I’ve rebooted servers, after which they’ve passed testing.

Many blogs are adding updates to stress the need to restart services or reboot and to regenerate private keys. Companies are sending out additional communication as well. Some have sent as many as 3 emails all following up on Heartbleed. For example, TurnKey sent out this via email moments ago: “…installations are configured to install security updates automatically. Unfortunately, installing the update is not enough.” Over the coming days some will realize that the vulnerability wasn’t actually stopped with just patching.

I would love to write more but I started this post since this morning, had to break away and I’m not sure when I’ll be able to edit again. Hopefully what’s here is helpful. Feel free to post questions, suggestions and experiences below.

Related read: Heartbleed bug undoes Web encryption, reveals Yahoo passwords.

Tags: , ,