Solved

How can I identify EMERGING THREAT – OpenSSL “HeartBleed” Vulnerability in our Linux servers

Posted on 2014-04-09
3
326 Views
Last Modified: 2014-07-29
Please let me know the commands to verify if OpenSSL versions 1.0.1 through 1.0.1f are installed, running or being use in my Linux servers.I have 200 Linux servers and vm's
0
Comment
Question by:oo_tatang
3 Comments
 
LVL 48

Expert Comment

by:Tintin
ID: 39990667
To check the package versions depends on which Linux distro you are using.

To check the openssl version, just run

openssl version
0
 
LVL 29

Expert Comment

by:serialband
ID: 39990734
You can scan your server here:  http://filippo.io/Heartbleed/

There's more information about Heartbleed here: http://heartbleed.com/

Here's a howto:
http://www.howtoforge.com/find_out_if_server_is_affected_from_openssl_heartbleed_vulnerability_cve-2014-0160_and_how_to_fix

Just because you have the version, doesn't mean you are vulnerable.  You may be patched, if your distro released a compiled version without the heartbeat..  You can probably just grep for the variable in the lib to see if it exists or not.
egrep dtls1_process_heartbeat libssl.so.1.0.0

http://www.experts-exchange.com/OS/Linux/Q_28402987.html#a39987838
0
 
LVL 22

Accepted Solution

by:
blu earned 500 total points
ID: 39993964
Keep in mind that outgoing connections are potentially vulnerable too. Any process that uses OpenSSL to implement its SSL client functions is also vulnerable. And sometimes a package will include a private copy of OpenSSL so it may not be obvious that a particular packe is vulnerable and needs patching. You need to do an audit of your incoming and outgoing network connections and then identify the products making those connections and determine their risk. If your servers only accept incoming connections then your task is much easier. But if they connect to other systems on occasion, then you need to look at those client processes too.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AWS - HAProxy- KeepAlived 5 51
Choosing CentOS 16 108
fedora linux on laptop - setup sendmail - or some kind of email 5 55
CENTOS DHCP Server / PXE/TFTP 14 155
I promised to write further about my project, and here I am.  First, I needed to setup the Primary Server.  You can read how in this article: Setup FreeBSD Server with full HDD encryption (http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/A_3660-S…
SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question