Heartbleed, OpenSSL, FreeBSD checks and updates.

M

mmaxx

Verified User
Joined
May 26, 2006
Messages
23
Some notes which may be of use to other Freebsd Users experiencing similar issues.

1. freebsd-update to get the latest patched version of of the BASE install you are using. This will take care of the libssl which comes with the OS.

2. You must check for other versions of libssl on your machine. Custombuild and DA for example may use Openssl installed from PORTS/packages, which wont be updated when you fix the OS.

Code: 
# locate libssl
/usr/lib/dovecot/libssl_iostream_openssl.a
/usr/lib/dovecot/libssl_iostream_openssl.la
/usr/lib/dovecot/libssl_iostream_openssl.so
/usr/lib/libssl.a
/usr/lib/libssl.so
[B]/usr/lib/libssl.so.6[/B]                       <---- OS version updated with freebsd-update
/usr/lib/libssl_p.a
/usr/lib32/libssl.a
/usr/lib32/libssl.so
/usr/lib32/libssl.so.6
/usr/lib32/libssl_p.a
/usr/local/lib/libssl.a
/usr/local/lib/libssl.so
[B]/usr/local/lib/libssl.so.8[/B]               <------- thirda party version installed from pkg/ports

You need to interrogate the configuration to see which one apache is using:

Code: 
# ldd `which httpd` | grep ssl
        libssl.so.8 => /usr/local/lib/libssl.so.8 (0x8009a9000)

Then check which version of OpenSSL that lib comes from :

Code: 
# strings  /usr/local/lib/libssl.so.8 | grep "^OpenSSL "
OpenSSL 1.0.1e 11 Feb 2013

So, even though

Code: 
# openssl version
OpenSSL 0.9.8y 5 Feb 2013

reports a safe version (FreeBSD 9.2 p3) , your httpd/apache is linked to and running with an unsafe version.

3. Resolution is to remove the affected version and update to a newer version.

3.1 I had to deinstall the old package and install the latest port for openssl. (at this time there was not an updated package yet, but ports had an updated one)
NOTE: Doing this on a production machine will make WEB and EMAIL services unavailable until you are done.

Code: 
#pkg_info | grep ssl
  
   openssl-1.0.1_8     SSL and crypto library

#portsnap fetch extract
....

#pkg_delete openssl-1.0.1_8 

# cd /usr/ports/security/openssl/ ; make ; make install

#apachectl stop
#apachectl start

Your problem should now be solved.

PS: Thanks to folks at nginx, found some handy hints there :

http://nginx.com/blog/nginx-and-the-heartbleed-vulnerability/
 
Last edited:
mmaxx,

Thanks for putting this up here.

My server was compromised last week, almost a million emails were in the queue, took me some time to fix that, then delved deeper and the only explanation I could find was the heartbleed vulnerability, which is now fixed per your instructions, thanks again!
 
DA-Rff said:
the only explanation I could find was the heartbleed vulnerability, which is now fixed per your instructions, thanks again!
Click to expand...
I suppose it's possible that the spammer was able to send spam through your server because he used the heartbleed vulnerability to find one of your email passwords. But it's quite doubtful. While the heartbleed vulnerability can be very dangerous, it's very hard to exploit, and there's not yet any proof in the wild it's been exploited by any malicious party.

You should check your logs to see if the outgoing spam was through an authorized SMTP login. If so, you need to make sure the email password that was compromised has been reset. If not, then find the cause and update/remov/fix the compromized code.

But don't just presume it's Heartbleed without a specific reason. The assumption could cause you to miss the real cause.

Jeff
 
But don't just presume it's Heartbleed without a specific reason. The assumption could cause you to miss the real cause.
Click to expand...

Thanks Jeff, point taken.

I took all other precautions re compromised email account and after I cleaned up everything there, I was left with one question: "how was the password compromised"

Only thing I could then find was heartbleed.

Now looking back, no more spam sent over my email, but hard to tell why not, because of all measures taken at same time.

And like they say: "assumption is the mother of all f* ups" so rather than assumeanything , I just closed all holes and suspended account, closed 587 and made impossible passwords, fast forward 3 days and all stable and no more trouble except the usual brute force attacks on accounts.

thanks again!
 
You must log in or register to reply here.
Back
Top