Thursday, August 23, 2018

OpenSSL ChangeCipherSpec vulnerability - ubuntu solution



I checked a site with this tool and the result came back that " This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable."




I searched around and found that for not being vulnerable the version must be higher than this output:



OpenSSL 1.0.1 14 Mar 2012
built on: Mon Jun 2 19:37:18 UTC 2014


My current version is



OpenSSL 1.0.1c 10 May 2012
built on: Fri May  2 20:25:02 UTC 2014



I tried couple ways to upgrade my openssl like this and this but I still get the same version. For example when I execute the sudo apt-get dist-upgrade I get this message:



Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.



The first time I run this command, packages were installed and I did reboot my machine with sudo reboot.



Any clue how can I update my openSSL to avoid this vulnerability? Anything else I might be missing?


Answer



Ok, as suggested in the question comments your problem is that you are running Ubuntu 12.10, which stoped being supported earlier this year, just about a month before the OpenSSL CCS issue was published. Hence, there aren't any good OpenSSL versions for Ubuntu 12.10, and there won't be.



Getting an openssl/libssl packages from a newer Ubuntu might not be trivial, given that other packages you have installed might depend on a specific openssl version. Seem to recall libssl being fairly version critical when compiled against.



While there are things you could do, such as backporting the fix yourself (non-trivial) you really need to upgrade to a supported version of Ubuntu, given all other potential security issues in other packages. Especially since you appear to be running a web server, which usually has a fairly large attack surface.




For a server you usually want to go with a LTS version of Ubuntu. Especially these days, with the new non-LTS versions only being supported nine months, and the LTS versions getting five years of supported. Current LTS versions being Ubuntu 12.04 and Ubuntu 14.04.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...