OpenSSL HeartBleed Bug – Explanation and fix

Heartbleed is a recently discovered small bug that relates to the OpenSSL’s implementation of the TLS ‘heartbeat’ mechanism.

The bug is present only in the OpenSSL versions 1.0.1 through 1.0.1f!

By exploiting this bug, an attacker can request that a running TLS server hand over a relatively large slice (up to 64KB) of its private memory space. Since this is the same memory space where OpenSSL also stores the server’s private key material, an attacker can potentially obtain data such as:

1) private keys
2) TLS session keys
3) confidential data
4) session ticket keys.

The remedy

You can test if a given server is vulnerable using this tool: http://filippo.io/Heartbleed/ (enter your domain as for example: yourdomain.name:443)

To check the OpenSSL version running on your server, use the following command via SSH:

CentOS

# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

Ubuntu

# dpkg -s openssl | grep Version
Version: 1.0.1-4ubuntu5.6

Having identified a problem, the first step is to patch OpenSSL. Fortunately this is relatively easy. The 1.0.1g version is not vulnerable, and Debian has a patch. You can also recompile OpenSSL with the -DOPENSSL_NO_HEARTBEATS option.

Installing OpenSSL 1.0.1g on CentOS:

# cd /usr/local/src
# wget -N http://www.openssl.org/source/openssl-1.0.1g.tar.gz
# tar -xzvf openssl-1.0.1g.tar.gz
# cd openssl-1.0.1g
# ./config
# make
# make install
# alias cp=cp
# cp /usr/local/ssl/bin/openssl /usr/bin/openssl
# cd /usr/local/ssl/include
# ln -s /usr/local/ssl/include/openssl openssl

Once done, check the version again and restart the web server:

# openssl version
OpenSSL 1.0.1g 7 Apr 2014

Restart any services using SSL.

Installing OpenSSL 1.0.1g on Ubuntu:

# apt-get update
# apt-get install -y openssl libssl1.0.0

Restart any services using SSL.

What’s the TLS Heartbeat mechanism ?

The TLS Heartbeat mechanism is designed to keep connections alive even when no data is being transmitted. Heartbeat messages sent by one peer contain random data and a payload length. The other peer is suppose to respond with a mirror of exactly the same data.

If you want to read more about this, the best written article I’ve found on this topic can be found here: http://blog.cryptographyengineering.com/2014/04/attack-of-week-openssl-heartbleed.html

Netgear WG102 with latest firmware doesn’t allow MacBook Air to connect

wg102_tcm122-53787Its a really annoying problem – the Wifi works for a lot of laptops but not with others.

The problem we had was with a 2013 MacBook Air connecting to a NetGear WG102 with the latest firmware 5.0.3

A 2012 MacBook Pro Retina and numerous other laptops were fine, but the issue persisted with the MacBook Air.

To solve the problem, we reverted the access point back to 5.0.1 (download only the right version for where you are in the world). All devices can then access the wifi.

http://kb.netgear.com/app/answers/detail/a_id/10899/~/wg102-firmware-version-5.0.1