CVE-2014-0224: OpenSSL library CCS Injection Vulnerability
Table of Contents
Overview
CVE-2014-0224: CCS Injection Vulnerability could allow for a man-in-the-middle attack against an encrypted connection.
SSL/TLS connections typically allow for encrypted traffic to pass between two parties where only the intended senders and recipients can decrypt data. In the event of a man-in-the-middle attack, an attacker could intercept an encrypted data stream allowing them to decrypt, view and then manipulate said data.
The vulnerability can only be exploited if both server and client are vulnerable to this issue. In the event that one of the two is vulnerable, there is no risk of exploitation. Servers running OpenSSL versions below 1.0.1 are not vulnerable but those who are using higher version are affected.
Clients using OpenSSL versions below 1.0.1 connecting to servers running OpenSSL versions 1.0.1 and higher are vulnerable and should be updated.
Resolution
To apply the changes on running servers, you can manually update the built-in OpenSSL version. To apply the update to new servers that are launched, you can change the software repository date to install the latest OpenSSL version.
Note: If you are using a version of a v13 ServerTemplate (published by RightScale) your server may already have the security updates feature enabled. If enabled (Enable security updates = text:enable), you can reboot the server to automatically apply the patch to a running server.
Ubuntu
For Running Servers
On a running Ubuntu 12.04-LTS server, navigate to the server's Scripts tab in the dashboard and run the recipe rightscale::setup_security_updates. This is usually located in the Boot Scripts section. In the confirmation window, click the "Show advanced" option and select "text: enable" from the dropdown then click Continue. (Note: This will ONLY unfreeze the security repository, which will allow the latest security updates to be installed.)
After the recipe completed successfully, verify if the repository changed properly :
~# cat /etc/apt/sources.list.d/rightscale.sources.list |grep -i security deb http://cf-mirror.rightscale.com/ubuntu_daily/latest precise-security main restricted multiverse universe deb http://island5.rightscale.com/ubuntu_daily/latest precise-security main restricted multiverse universe
Once the security repository has been changed, you can proceed applying the security update on the server by running the rightscale::do_security_updates operational script. This will do a system package update to download and install the latest security patches.
Again, once the recipe is completed, you can ssh into the server to verify that the 'openssl' package was properly updated to the latest version:
Ubuntu 14.04 LTS:
libssl1.0.0 1.0.1f-1ubuntu2.2
Ubuntu 12.04 LTS:
libssl1.0.0 1.0.1-4ubuntu5.14
After a standard system update, a system reboot is recommended to apply all the necessary changes.
For New Servers
For new servers, enable the security update input before launching the server. This can be found under the RIGHTSCALE category. (Note: It's an advanced input so you must click on the "Show advanced inputs" option to see it in the dashboard.
Enable security updates rightscale/security_updates text:enable
CentOS
Unfortunately, the steps outlined above cannot be used for CentOS without running the risk of updating other packages, which might break package compatibility. The problem with CentOS is that it does not allow you to do a security update alone (whereas Ubuntu does because of a separate security repository). The only way to apply the latest security updates is to unfreeze all repos and update from latest.
Or you can create a RightScript to download and install the openssl package and library directly from the RightScale mirror. Put the script in boot sequence to update the package on server launch:
openssl-1.0.1e-16.el6_5.14.x86_64.rpm openssl-devel-1.0.1e-16.el6_5.14.x86_64.rpm openssl-static-1.0.1e-16.el6_5.14.x86_64.rpm
- © Copyright 2015 RightScale Technical Support