Dealing with HeartBleed

Published on: April 8, 2014
Difficulty: Medium

Full explanation of the HeartBleed bug: http://heartbleed.com/

The Heartbleed vulnerability affects CentOS 6 servers with an OpenSSL version less than 1.0.1e-16.el6_5.7

You can check the version number in SSH as follows:

root@server.hostname.com: ~
# rpm -qa | grep openssl
openssl-1.0.1e-16.el6_5.7.x86_64
openssl-devel-1.0.1e-16.el6_5.7.x86_64

If a server is reported as vulnerable with the Vuln checker tool link above, you will need to run:

yum -y update openssl

Then restart all services:

/scripts/restartsrv http;
/scripts/restartsrv ftp;
/scripts/restartsrv exim;
/scripts/restartsrv imap;
service cpanel restart;

A quick restart of each service will ensure the updated OpenSSL library is loaded into memory. Without restarting these processes it is possible that the old library will still be in use and thus remain vulnerable.

After performing the fix noted above, verify that the issue has been resolved with the vulnerability checker.

After resolving the issue, as a safety precaution, you should generate a new CSR for your SSL certificates to get them reissued. Per the article linked at the top, any SSL that was compromised while the vulnerability was active is still subject to attack even after the fix. You should speak to the issuer of your SSL certificate to get the new certificate. There is an installation process noted for WHM and cPanel on this site for your convenience.



Back To Top