Fix Openssl Heartbleed

Posted on Sunday March 13, 2016 / by Eric Potvin

The OpenSSL heartbleed bug (CVE-2014-0160) bug allows a hacker to leak the memory in up to 64k chunks. Repetitively trying, he can get crutial informations about your system.

The worst a hacker can retrieve are the private keys. Which means now he has the keys to decrypt the encrypted any data. The other information a hacker can get are users' cookies information or even users' username and passwords.

It is crutial to fix this issue to version greater or equal to 1.0.1g. You also have to revoke and regenerate new keys and certificates and re-issuing of CA certs and the like in the coming days.

Version infected

The heartbleed bug was introduced in OpenSSL 1.0.1 and is present in

Verify the version

To check the version you can run this command:

openssl version -v
openssl version -b

This will output something like this:

OpenSSL 1.0.1 14 Mar 2012

built on: Wed Jan  8 20:45:51 UTC 2014

If the date is older than Mon Apr 7 20:33:29 UTC 2014 and the version is 1.0.1, then you are vulnerable to the Heart Bleed bug.

Update

Update the repository:

sudo apt-get update

Upgrade the openssl package:

sudo apt-get upgrade openssl libssl-dev
apt-cache policy openssl libssl-dev

Verify the version

To check the version you can run this command:

openssl version -b

Now the date will be changed to Apr 7, 2014.

built on: Mon Apr  7 20:31:55 UTC 2014

Install version 1.0.1g

You can install it from source if you prefer. You need to get it from the openssl.org website:

curl https://www.openssl.org/source/openssl-1.0.1g.tar.gz | tar xz && cd openssl-1.0.1g && sudo ./config && sudo make && sudo make install

Replace old openssl

Now, let's replace the old OpenSSL binary file with the new one.

sudo ln -sf /usr/local/ssl/bin/openssl `which openssl`

Verify version

Verify the version:

openssl version

Will return

OpenSSL 1.0.1g 7 Apr 2014