Home » Ubuntu » [Troubleshooting] How to fix HeartBleed openSSL bug on Ubuntu

[Troubleshooting] How to fix HeartBleed openSSL bug on Ubuntu

By Alex - in , , , - on 4/10/2014 - pencil
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Step 1. Check vulnerable status:
M1: On website: http://possible.lv/tools/hb/
M2: With perl file. Download that file at here and run this command:
sudo chmod +rx check-ssl-heartbleed.pl
perl check-ssl-heartbleed.pl full_url:443
For example:
perl check-ssl-heartbleed.pl chungkol.com:443
Not vulnerable result:
...ssl received type=22 ver=0x302 ht=0x2 size=54
...ssl received type=22 ver=0x302 ht=0xb size=1635
...ssl received type=22 ver=0x302 ht=0xc size=521
...ssl received type=22 ver=0x302 ht=0xe size=0
...send heartbeat#1
no reply - probably not vulnerable
Vulnerable result:
...ssl received type=22 ver=0x302 ht=0x2 size=54
...ssl received type=22 ver=0x302 ht=0xb size=1635
...ssl received type=22 ver=0x302 ht=0xc size=521
...ssl received type=22 ver=0x302 ht=0xe size=0
...send heartbeat#1
...ssl received type=24 ver=302 size=16384
BAD! got 16384 bytes back instead of 3 (vulnerable)
Step 2. Check current version:
dpkg -l |grep openssl
openssl version -a
Step 3.  Upgrade openSSL to 1.0.1g or 1.0.2-beta1
M1. Get openSSL lastest version on http://www.openssl.org/source and upgrade it
M2. Use apt-get command:
sudo apt-get update
sudo apt-get -f upgrade openssl