1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Exploit in SSLv2 - update OpenSSL

Discussion in 'Official Announcements' started by custer, Mar 2, 2016.

  1. custer

    custer Administrator Staff Member

    33
     
    Joined:
    Apr 24, 2007
    Messages:
    593
    Likes Received:
    101
    Hi everyone,

    A new vulnerability was found in SSLv2. It is strongly recommended to update OpenSSL on your servers immediately.

    https://www.openssl.org/news/secadv/20160301.txt:

    A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP) shares the RSA keys of the non-vulnerable server. This vulnerability is known as DROWN (CVE-2016-0800).

    Recovering one session key requires the attacker to perform approximately 2^50 computation, as well as thousands of connections to the affected server. A more efficient variant of the DROWN attack exists against unpatched OpenSSL servers using versions that predate 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf released on
    19/Mar/2015 (see CVE-2016-0703 below).

    Mitigation factors:
    https://access.redhat.com/security/vulnerabilities/drown
    • SSL/TLS connections using non-RSA key exchange, such as Diffie-Hellman (DH) or Elliptic Curve Diffie-Hellman (ECDH), can not be decrypted using the DROWN attack.
    • Modern SSL/TLS clients support ECDH and DH.
    Solution:
    • Update OpenSSL 1.0.2 to 1.0.2g.
    • Update OpenSSL 1.0.1 to 1.0.1s.
    References:
     
    Sergey L likes this.
  2. Imad S

    Imad S New Pleskian

    9
    70%
    Joined:
    Oct 28, 2013
    Messages:
    22
    Likes Received:
    1
    Thanks for the cautionary note, could you please tell us how to update openssl to 1.0.1s? I have a couple of servers running centos 6 and Plesk 12 but none of them show the update, at most I see 1.0.1e as the latest version.
    I've checked epel and rpmforge repos as well as the CentOS base repo.

    My DC has given me 72 hours to rectify the issue otherwise they'll take the server down, your help will be greatly appreciated.
     
  3. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,572
    Likes Received:
    1,243
    Location:
    Novosibirsk, Russia
    If you run

    # yum update openssl

    you will see update with the same package version, but all necessary security patches are included there. It is known Red Hat policy - do not change package versions for patched packages.

    Also, as a possible (but maybe not better) solution you can update it from source with steps below. But note that you should update this installation from source with the same manner each time when the new update will be released.

    1. Install all necessary devel packages:

    # yum install make gcc glibc-devel zlib-devel

    2. Install latest openssl:

    # cd /usr/src
    # wget http://www.openssl.org/source/openssl-1.0.1s.tar.gz
    # tar -zxf openssl-1.0.1s.tar.gz
    # cd openssl-1.0.1s
    # ./config
    # make
    # make test
    # make install

    3. Remove old version and link new:

    # mv /usr/bin/openssl /root/
    # ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

    4. Check your new openssl version:

    # openssl version
    OpenSSL 1.0.1s 1 Mar 2016
     
    Last edited: Mar 3, 2016
  4. Bob McKay

    Bob McKay New Pleskian

    2
    70%
    Joined:
    Dec 17, 2015
    Messages:
    12
    Likes Received:
    0
    Can you tell us how to update this on Plesk for Windows too? Thanks!
     
  5. custer

    custer Administrator Staff Member

    33
     
    Joined:
    Apr 24, 2007
    Messages:
    593
    Likes Received:
    101
    Hi Bob,

    Plesk itself and all customer websites are hosted via IIS, which does not use OpenSSL and is not affected by this SSLv2 vulnerability. So no worries for you. :)
     
  6. Bob McKay

    Bob McKay New Pleskian

    2
    70%
    Joined:
    Dec 17, 2015
    Messages:
    12
    Likes Received:
    0
    Hi Custer,
    I thought it installed Apache as well? I only ask because all of my SSL sites I've tested are showing as vulnerable on https://test.drownattack.com.
     
  7. Franco

    Franco Basic Pleskian

    12
    60%
    Joined:
    Oct 31, 2015
    Messages:
    99
    Likes Received:
    1
    Hi,
    in my case (Plesk 12.5, Centos 6.7) the openssl version is OpenSSL 1.0.1e-fips 11 Feb 2013 and yum update does not find anything to update. Is there a repository to set and how, please?
     
  8. Kingsley

    Kingsley Regular Pleskian

    21
    73%
    Joined:
    Dec 13, 2014
    Messages:
    473
    Likes Received:
    18
    Location:
    Nigeria
    Hello

    Anyone for ubuntu users?
     
  9. custer

    custer Administrator Staff Member

    33
     
    Joined:
    Apr 24, 2007
    Messages:
    593
    Likes Received:
    101
    I don't know how exactly this scanner works, so it's difficult to comment. This scanner might simply detect if a website responds via SSLv2, and IIS might indeed be responding -- but this does not mean that the website is actually vulnerable. If you want to feel 100% safe, you can try configuring IIS directly and turning off the unnecessary protocols. This can be done, for example, with the following 3rd party tool: https://www.nartac.com/Products/IISCrypto.

    Disclaimer: if you decide to turn off SSLv2 via the tool I've mentioned above or a similar tool, please be very careful, otherwise you might encounter unknown / unwanted side-effects (like RDP not working, etc).

    Hope this helps, Bob.
     
  10. trialotto

    trialotto Golden Pleskian Plesk Guru

    37
     
    Joined:
    Sep 28, 2009
    Messages:
    1,445
    Likes Received:
    206
    @custer,

    Can you indicate the vulnerability of

    - Ubuntu 14.04.2 LTS
    - Ubuntu 14.04.3 LTS
    - Ubuntu 14.04.4 LTS

    to DROWN (CVE-2016-0800).

    I did some tests, being

    - online tests via https://test.drownattack.com
    - server-side scanning via command line utility, see https://github.com/nimia/public_drown_scanner

    and at least the following applies

    1 - Plesk on a Ubuntu 14.04.4 LTS is barely vulnerable,
    2 - improving firewall rules (read: blocking certain ports) does decrease the attack surface and there the vulnerability,
    3 - openssl package 1.0.1f-1ubuntu2.18 does not seem to be associated with vulnerabilities.

    It seems to be the case that an update to openssl 1.0.1s is not really required on Ubuntu, it is required to do a

    apt-get update
    apt-get upgrade

    and can you confirm that?

    Regards.....
     
  11. trialotto

    trialotto Golden Pleskian Plesk Guru

    37
     
    Joined:
    Sep 28, 2009
    Messages:
    1,445
    Likes Received:
    206
    @custer and @everyone,

    NOTE: Ubuntu 12.04 and higher are not affected by CVE-2016-0800, if openssl package is installed (the package is compiled with no-ssl2 flag).

    REMARK: earlier conclusions confirmed by Canonical.

    Hope this helps.

    Regards....
     
    Dukemaster and custer like this.
  12. Wouter van der Schagt

    Wouter van der Schagt Basic Pleskian

    6
    20%
    Joined:
    Dec 10, 2015
    Messages:
    29
    Likes Received:
    3
  13. trialotto

    trialotto Golden Pleskian Plesk Guru

    37
     
    Joined:
    Sep 28, 2009
    Messages:
    1,445
    Likes Received:
    206
    @custer,

    I do not know how much influence Plesk Team has over the rootkit hunter package, but it gives a false negative when checking for OpenSSL versions on Ubuntu.

    It is just a hint, maybe you can do something about the false negative, but I suppose that that is not the case.

    Regards....
     
  14. Michael Howarth

    Michael Howarth New Pleskian

    0
     
    Joined:
    Apr 25, 2016
    Messages:
    2
    Likes Received:
    0

    Hi,

    I followed Igor's instructions here which worked perfectly, however at the very last step when I type # openssl version, I get the response -bash: openssl: command not found.

    I am in the directory /usr/srv/openssl1-1.0.1s when typing the command.

    I'm fairly sure the process has worked, scrolling back through the install process, everything looks like it's checking out okay, but I can't be sure until I get a positive result by doing a version check.

    Can anyone explain why the version command might not be working for me?
     
  15. Michael Howarth

    Michael Howarth New Pleskian

    0
     
    Joined:
    Apr 25, 2016
    Messages:
    2
    Likes Received:
    0
    Fixed.

    It was a typo in the symbolic link.
     
Loading...