Patch OpenSSL on CentOS Against CCS Injection

What is OpenSSL?

OpenSSL is a common cryptographic library which provides encryption, specifically SSL/TLS, for popular applications such as Apache (web), MySQL (database), e-mail, virtual private networks (VPNs), and more.

What is “the CCS Injection Vulnerability”?

The ChangeCipherSpec (CCS) Injection Vulnerability is a moderately severe vulnerability in OpenSSL, known formally as “SSL/TLS MITM vulnerability (CVE-2014-0224)“. As of June 05, 2014, a security advisory was released by OpenSSL.org, along with versions of OpenSSL that fix this vulnerability.

This vulnerability is likely not as severe as the Heartbleed Bug. In some circumstances, this flaw allows an attacker to conduct a man-in-the-middle attack on servers running vulnerable versions of OpenSSL. The attacker would be required to intercept and alter network traffic, and do so in real time, to exploit the flaw; in that case, the attacker could potentially view and/or modify the otherwise secured traffic.

• Update OpenSSL and reboot your server immediately.
• After the server has been rebooted, change all passwords associated with the server.

• These instructions are intended for patching OpenSSL on CentOS 6 against the “SSL/TLS MITM vulnerability (CVE-2014-0224)“.
• I’ll be working from a Liquid Web Core Managed CentOS 6.5 server, and I’ll be logged in as root.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1g and 1.0.2-beta1.

You can view which version of OpenSSL is installed by running the following command:

yum info openssl

You should receive information similar to the following:

Installed Packages
Name : openssl
Arch : x86_64
Version : 1.0.1e
Release : 16.el6_5.7
Size : 4.0 M
Repo : installed

In this case, 1.0.1e 16.el6_5.7 is vulnerable, and we’ll want to patch the server.

You can also check the local changelog to verify whether OpenSSL is patched against the vulnerability with the following command:

rpm -q --changelog openssl | grep CVE-2014-0224

If a result is not returned, then you must patch OpenSSL.

It’s a matter of just running one command for installation via yum:

yum update openssl

You should receive output similar to the following:

--> Running transaction check
---> Package openssl-devel.x86_64 0:1.0.1e-16.el6_5.7 will be updated
---> Package openssl-devel.x86_64 0:1.0.1e-16.el6_5.14 will be an update
--> Finished Dependency Resolution

You’ll be asked to confirm the download and installation; simply enter y to confirm. Once this command is complete, OpenSSL will be installed and updated.

Again, just as in the Pre-Update Verification step, we’ll check the local changelog to verify whether OpenSSL is patched against the vulnerability:

rpm -q --changelog openssl | grep CVE-2014-0224

If your version of OpenSSL is now patched, then you’ll receive a result similar to:

- fix CVE-2014-0224 - SSL/TLS MITM vulnerability

It is also possible to verify the OpenSSL version with the following command:

openssl version -a

If your version of OpenSSL is now patched, then you’ll receive a result similar to:

OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Thu Jun 5 12:55:18 UTC 2014

…with a date of Thu Jun 5 12:55:18 UTC 2014 or newer.

At this point, all services using libssl MUST be restarted to complete the patching process. Or, it’s probably simpler and cleaner to just reboot the server. View a list of services using libssl with the following command:

lsof | grep -i libssl | grep DEL | awk '{print $1}' | sort | uniq

To reboot your server use the following command:

reboot now