• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Exploit in SSLv2 - update OpenSSL

custer

custer

Administrator
Staff member
Hi everyone,

A new vulnerability was found in SSLv2. It is strongly recommended to update OpenSSL on your servers immediately.

https://www.openssl.org/news/secadv/20160301.txt:

A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP) shares the RSA keys of the non-vulnerable server. This vulnerability is known as DROWN (CVE-2016-0800).

Recovering one session key requires the attacker to perform approximately 2^50 computation, as well as thousands of connections to the affected server. A more efficient variant of the DROWN attack exists against unpatched OpenSSL servers using versions that predate 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf released on
19/Mar/2015 (see CVE-2016-0703 below).

Mitigation factors:
https://access.redhat.com/security/vulnerabilities/drown
  • SSL/TLS connections using non-RSA key exchange, such as Diffie-Hellman (DH) or Elliptic Curve Diffie-Hellman (ECDH), can not be decrypted using the DROWN attack.
  • Modern SSL/TLS clients support ECDH and DH.
Solution:
  • Update OpenSSL 1.0.2 to 1.0.2g.
  • Update OpenSSL 1.0.1 to 1.0.1s.
References:
 
Thanks for the cautionary note, could you please tell us how to update openssl to 1.0.1s? I have a couple of servers running centos 6 and Plesk 12 but none of them show the update, at most I see 1.0.1e as the latest version.
I've checked epel and rpmforge repos as well as the CentOS base repo.

My DC has given me 72 hours to rectify the issue otherwise they'll take the server down, your help will be greatly appreciated.
 
Imad S said:
how to update openssl to 1.0.1s?
Click to expand...
If you run

# yum update openssl

you will see update with the same package version, but all necessary security patches are included there. It is known Red Hat policy - do not change package versions for patched packages.

Also, as a possible (but maybe not better) solution you can update it from source with steps below. But note that you should update this installation from source with the same manner each time when the new update will be released.

1. Install all necessary devel packages:

# yum install make gcc glibc-devel zlib-devel

2. Install latest openssl:

# cd /usr/src
# wget http://www.openssl.org/source/openssl-1.0.1s.tar.gz
# tar -zxf openssl-1.0.1s.tar.gz
# cd openssl-1.0.1s
# ./config
# make
# make test
# make install

3. Remove old version and link new:

# mv /usr/bin/openssl /root/
# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

4. Check your new openssl version:

# openssl version
OpenSSL 1.0.1s 1 Mar 2016
 
Last edited:
Hi Bob,

Plesk itself and all customer websites are hosted via IIS, which does not use OpenSSL and is not affected by this SSLv2 vulnerability. So no worries for you. :)
 
Hi,
in my case (Plesk 12.5, Centos 6.7) the openssl version is OpenSSL 1.0.1e-fips 11 Feb 2013 and yum update does not find anything to update. Is there a repository to set and how, please?
 
IgorG said:
If you run

# yum update openssl

you will see update with the same package version, but all necessary security patches are included there. It is known Red Hat policy - do not change package versions for patched packages.

Also, as a possible (but maybe not better) solution you can update it from source with steps below. But note that you should update this installation from source with the same manner each time when the new update will be released.

1. Install all necessary devel packages:

# yum install make gcc glibc-devel zlib-devel

2. Install latest openssl:

# cd /usr/src
# wget http://www.openssl.org/source/openssl-1.0.1s.tar.gz
# tar -zxf openssl-1.0.1s.tar.gz
# cd openssl-1.0.1s
# ./config
# make
# make test
# make install

3. Remove old version and link new:

# mv /usr/bin/openssl /root/
# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

4. Check your new openssl version:

# openssl version
OpenSSL 1.0.1s 1 Mar 2016
Click to expand...

Hello

Anyone for ubuntu users?
 
Bob McKay said:
Hi Custer,
I thought it installed Apache as well? I only ask because all of my SSL sites I've tested are showing as vulnerable on https://test.drownattack.com.
Click to expand...

I don't know how exactly this scanner works, so it's difficult to comment. This scanner might simply detect if a website responds via SSLv2, and IIS might indeed be responding -- but this does not mean that the website is actually vulnerable. If you want to feel 100% safe, you can try configuring IIS directly and turning off the unnecessary protocols. This can be done, for example, with the following 3rd party tool: https://www.nartac.com/Products/IISCrypto.

Disclaimer: if you decide to turn off SSLv2 via the tool I've mentioned above or a similar tool, please be very careful, otherwise you might encounter unknown / unwanted side-effects (like RDP not working, etc).

Hope this helps, Bob.
 
@custer,

Can you indicate the vulnerability of

- Ubuntu 14.04.2 LTS
- Ubuntu 14.04.3 LTS
- Ubuntu 14.04.4 LTS

to DROWN (CVE-2016-0800).

I did some tests, being

- online tests via https://test.drownattack.com
- server-side scanning via command line utility, see https://github.com/nimia/public_drown_scanner

and at least the following applies

1 - Plesk on a Ubuntu 14.04.4 LTS is barely vulnerable,
2 - improving firewall rules (read: blocking certain ports) does decrease the attack surface and there the vulnerability,
3 - openssl package 1.0.1f-1ubuntu2.18 does not seem to be associated with vulnerabilities.

It seems to be the case that an update to openssl 1.0.1s is not really required on Ubuntu, it is required to do a

apt-get update
apt-get upgrade

and can you confirm that?

Regards.....
 
@custer and @everyone,

NOTE: Ubuntu 12.04 and higher are not affected by CVE-2016-0800, if openssl package is installed (the package is compiled with no-ssl2 flag).

REMARK: earlier conclusions confirmed by Canonical.

Hope this helps.

Regards....
 
@custer,

I do not know how much influence Plesk Team has over the rootkit hunter package, but it gives a false negative when checking for OpenSSL versions on Ubuntu.

It is just a hint, maybe you can do something about the false negative, but I suppose that that is not the case.

Regards....
 
IgorG said:
If you run

# yum update openssl

you will see update with the same package version, but all necessary security patches are included there. It is known Red Hat policy - do not change package versions for patched packages.

Also, as a possible (but maybe not better) solution you can update it from source with steps below. But note that you should update this installation from source with the same manner each time when the new update will be released.

1. Install all necessary devel packages:

# yum install make gcc glibc-devel zlib-devel

2. Install latest openssl:

# cd /usr/src
# wget http://www.openssl.org/source/openssl-1.0.1s.tar.gz
# tar -zxf openssl-1.0.1s.tar.gz
# cd openssl-1.0.1s
# ./config
# make
# make test
# make install

3. Remove old version and link new:

# mv /usr/bin/openssl /root/
# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

4. Check your new openssl version:

# openssl version
OpenSSL 1.0.1s 1 Mar 2016
Click to expand...


Hi,

I followed Igor's instructions here which worked perfectly, however at the very last step when I type # openssl version, I get the response -bash: openssl: command not found.

I am in the directory /usr/srv/openssl1-1.0.1s when typing the command.

I'm fairly sure the process has worked, scrolling back through the install process, everything looks like it's checking out okay, but I can't be sure until I get a positive result by doing a version check.

Can anyone explain why the version command might not be working for me?
 
Michael Howarth said:
Hi,

I followed Igor's instructions here which worked perfectly, however at the very last step when I type # openssl version, I get the response -bash: openssl: command not found.

I am in the directory /usr/srv/openssl1-1.0.1s when typing the command.

I'm fairly sure the process has worked, scrolling back through the install process, everything looks like it's checking out okay, but I can't be sure until I get a positive result by doing a version check.

Can anyone explain why the version command might not be working for me?
Click to expand...

Fixed.

It was a typo in the symbolic link.
 
You must log in or register to reply here.

Similar threads

elaa
Issue how can i fix those problems
Replies
1
Views
4K
Martin Dias
Martin Dias
elaa
Question how can i Deploy (Ephemeral) Elliptic-Curve Diffie-Hellman or usea 2048-bit or stronger Diffie-Hellm
Replies
0
Views
2K
elaa
elaa
Epic Voyage
Issue PHP imap_open + ADDTrust External CA Root Expiration
Replies
1
Views
2K
Epic Voyage
Epic Voyage
Mark12345
Resolved Failed SSL Report - Disable SSL v2 and v3???
Replies
6
Views
4K
Mark12345
Mark12345
Edward Dekker
  • Poll
Input Make your server more PCI compliant and update your TLS/Ciphersuites
Replies
2
Views
2K
Edward Dekker
Edward Dekker
Back
Top