(黃獻德) Hsien-De Huang | E-Mail:TonTon (at) TWMAN.ORG | TonTon (痛痛)
Malware Analysis Network in Taiwan (MiT) | 惡意程式分析網在台灣 (抬丸郎)
Deep Learning (深度學習), Malware Analysis (惡意程式分析), Ontology (知識本體)
Android Reverse Engineering (Android 逆向工程), Type-2 Fuzzy Logic (第二型模糊邏輯)

ONE PIECE (海賊王)

ONE PIECE (海賊王)

2014年4月29日

HeartBleed - OpenSSL CVE-2014-0160 ( CentOS 6.5 )

嗯 ! 前陣子很夯的話題 ... 剛好被客戶問到,所以簡單整理一下筆記 ... 以後直接 CTRL+ACV 就可以交給客戶報告了 ! xDDDDD

Heart Bleed - OpenSSL CVE-2014-0160
受影響 OpenSSL版本及 OS 版本

OpenSSL 1.0.1 through 1.0.1f are vulnerable
OpenSSL 1.0.1g (最新)has been fixed the vulnerability
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 0.9.8 /1.0.0 branch is NOT vulnerable

Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:
Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
CentOS 6.5, OpenSSL 1.0.1e-15
Fedora 18, OpenSSL 1.0.1e-4
OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
NetBSD 5.0.2 (OpenSSL 1.0.1e)
OpenSUSE 12.2 (OpenSSL 1.0.1c)

Operating system distribution with versions that are not vulnerable:
Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
SUSE Linux Enterprise Server
FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
FreeBSD 10.0p1 - OpenSSL 1.0.1g (At 8 Apr 18:27:46 2014 UTC)
FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)

# wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
# tar -zxf openssl-1.0.1g.tar.gz
# cd openssl-1.0.1g
# ./config
# make
# make install

到這邊先檢查一下版本,基本上還沒改過去才對 ! xD

# mv /usr/bin/openssl /usr/bin/openssl.bak
# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
# openssl version


使用 yum進行更新仍舊只能更新到 1.0.1e,需採用如上圖之方法手動替系統更新

# rpm -Uvh openssl-1.0.1g-1.el6.x86_64.rpm openssl-devel-1.0.1g-1.el6.x86_64.rpm  openssl-libs-1.0.1g-1.el6.x86_64.rpm openssl-static-1.0.1g-1.el6.x86_64.rpm --force --nodeps


openssl 1.0.1e "Heartbleed" CentOS 6.5 vulnerability status


另外,網路上也有相關測試的工具 ! 




最後附上點相關的文章供參考

openssl從1.0.1e以下版本強制升級後缺失庫文件

OpenSSL “heartbleed” 的安全漏洞/升級Openssl到1.0.1g版本

OpenSSL 1.0.1g for CentOS