OpenSSL vulnerability (CVE-2014-0224)

[rskotecha]

Hi,
I'm currently using openssl-1.0.0-4 for CentOS 6. I would like to upgrade it to openssl 1.0.0m. However, I couldn't find 1.0.0 related rpms on centos mirror. Where can I find it ?

Thanks.

[drk]

Hi,
I'm currently using openssl-1.0.0-4 for CentOS 6. I would like to upgrade it to openssl 1.0.0m. However, I couldn't find 1.0.0 related rpms on centos mirror. Where can I find it ?

Thanks.

That looks like it is from 2012/04/25. If you haven't updated the rest of your system then you have bigger problems than just openssl.

[TrevorH]

Please look at post #2 of this thread for the latest versions that are applicable for CentOS. In common with the usual upstream patching policy, the fixes required have been backported to the the CentOS versions so it is not 1.0.0.m that you need. This will entail updaing to 6.5 and it's 1.0.1e packages. If you have a requirement to stick with a 1.0.0 release then you'll need to take out a RHEL subscription and pay the extra required to get EUS support to get patches for 6.4.

[StormTheGates]

I have updated my CentOS with the yum update patches. However, when running my Nessus Vulnerability Scanner I still get:

According to its banner, the remote web server uses a version of OpenSSL 0.9.8 prior to 0.9.8za. The OpenSSL library is, therefore, reportedly affected by the following vulnerabilities :

- An error exists related to the implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA) that could allow nonce disclosure via the 'FLUSH+RELOAD' cache side-channel attack. (CVE-2014-0076)

- A buffer overflow error exists related to invalid DTLS fragment handling that could lead to execution of arbitrary code. Note this issue only affects OpenSSL when used as a DTLS client or server. (CVE-2014-0195)

- An error exists related to DTLS handshake handling that could lead to denial of service attacks. Note this issue only affects OpenSSL when used as a DTLS client.
(CVE-2014-0221)

- An unspecified error exists that could allow an attacker to cause usage of weak keying material leading to simplified man-in-the-middle attacks.
(CVE-2014-0224)

- An unspecified error exists related to anonymous ECDH ciphersuites that could allow denial of service attacks. Note this issue only affects OpenSSL TLS clients. (CVE-2014-3470)

Solution

Upgrade to OpenSSL 0.9.8za or later.

Banner : Server: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/0.9.8e-fips-rhel5 PHP/5.3.28
Installed version : 0.9.8e-fips-rhel5
Fixed version : 0.9.8za

[TrevorH]

The important part of that is "According to its banner" which means it's just doing a version check and not testing for the vulnerability itself. If you look those CVE numbers up on the redhat website in their CVE section, what does it say about them? Your nessus scan is almost certainly returning a false positive.

[lacquer]

Hi,
I'm looking for a patch for the openssl0.9.7 of CentOS 4.7.
Or, is there any other solutions?

[TrevorH]

CentOS 4 has been end of life for more than 2 years and you're running a version that's at least 2 years older than that. There are no more security patches for CentOS 4 and you should be migrating off it to something that is supported. If you cannot migrate then your only option is to buy a Redhat subscription to the Extended Update Service which supplies security patches for a little while longer but that means you have to convert your CentOS to RHEL 4 first...

[lacquer]

TrevorH, thank you for your answer!

[spinmaster]

I've patched my CentOS5.11 with 0.9.8e-31.el5_11, yet keep getting positive hits for CVE-2014-0224 by tripwire, ssllabs, Redhat and other scanners.

***CVE-2014-0224 Detection Tool v0.3***
Brought to you by Tripwire VERT (@TripwireVERT)
[TLSv1.2] **********************:443 may allow early CCS
[TLSv1.1] **********************:443 may allow early CCS
[TLSv1] **********************:443 may allow early CCS
[SSLv3] **********************:443 Invalid handhsake.
***This System Exhibits Potentially Vulnerable Behavior***
If this system is using OpenSSL, it should be upgraded.
============================
what else should I do to fix this?
Much appreciated.

[TrevorH]

And you restarted all services that use openssl like httpd?

Perhaps you have a non-standard openssl installed. What do you get if you run locate libssl.so?