Resolution for OpenSSL CCS Injection Vulnerability (CVE-2014-0224) in Red Hat Enterprise Linux

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 4(ELS)

Issue

  • How to avoid impact to a Red Hat Enterprise Linux system from CVE-2014-0224?
  • How to know if a Red Hat Enterprise Linux system is vulnerable to CVE-2014-0224?
  • How to download and upgrade to the latest version of OpenSSL to make sure my system is not vulnerable to CVE-2014-0224 or Hearbleed?

Resolution

  • The exploit affects systems that are servers offering an OpenSSL connection, or clients connecting to vulnerable servers.

  • In order to avoid exploitation from CVE-2014-0224, ensure that your system is updated to at least the following versions of OpenSSL.

RHSA-2014:0679

  • Red Hat Enterprise Linux 7 - openssl-1.0.1e-34.el7_0.3

RHSA-2014:0625

  • Red Hat Enterprise Linux 6 - openssl-1.0.1e-16.el6_5.14

RHSA-2014:0624

  • Red Hat Enterprise Linux 5 - openssl-0.9.8e-27.el5_10.3

RHSA-2014:0680

  • Red Hat Enterprise Linux 7 - openssl098e-0.9.8e-29.el7_0.2

RHSA-2014:0626

  • Red Hat Enterprise Linux 5 - openssl097a-0.9.7a-12.el5_10.1
  • Red Hat Enterprise Linux 6 - openssl098e-0.9.8e-18.el6_5.2

RHSA-2014:0627

  • Red Hat Enterprise Linux 4 Extended Lifecycle Support - openssl-0.9.7a-43.22.el4
  • Red Hat Enterprise Linux 5.6 Long Life - openssl-0.9.8e-12.el5_6.12
  • Red Hat Enterprise Linux 5.9 Extended Update Support - openssl-0.9.8e-26.el5_9.4
  • Red Hat Enterprise Linux 6.2 Advanced Update Support - openssl-1.0.0-20.el6_2.7
  • Red Hat Enterprise Linux 6.3 Extended Update Support - openssl-1.0.0-25.el6_3.3
  • Red Hat Enterprise Linux 6.4 Extended Update Support - openssl-1.0.0-27.el6_4.4

  • In order to update to the most recent version of the OpenSSL package run the following command:

# yum update openssl
  • Specify the package name in order to update to a particular version of OpenSSL. For example, to update a Red Hat Enterprise Linux 6.5 system run:
# yum update openssl098e-0.9.8e-18.el6_5.2
  • The only way to fix it is to install updated OpenSSL packages and restart affected services.
  • The safest & simplest thing to do is to perform a system reboot.

  • Carry out the following operation if system cannot be reboot.

/sbin/ldconfig

Root Cause

  • It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server.

  • For more information about this Vulnerability, refer to the following article:
    OpenSSL CCS Injection Vulnerability (CVE-2014-0224) Alert

Diagnostic Steps

  • To determine if a system is affected by this vulnerability, review the version of OpenSSL:
# rpm -qa openssl

Additionally, Red Hat Access Labs has released the CCS Injection Detector to help validate if your systems have been patched against this vulnerability.

Note: This vulnerability cannot be used to extract server or client side key material. This means that existing signed certificates do not need replacement once software is updated.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.