OpenSSL Security Advisory [5th September 2006]

eXite

Well-Known Member
May 16, 2003
50
2
158
cPanel Access Level
DataCenter Provider
This is just simply uncomprehendable, even after updating OpenSSL to the latest version (manually compiling) cPanel still tries to undo the changes. Look what happens when I recompile apache:

---

Warning !! openssl-devel has been modified... reinstalling....Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Excluding Packages in global exclude list
Finished
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Package openssl-devel.i586 0:0.9.7a-43.10 set to be updated
--> Running transaction check

Dependencies Resolved

=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
openssl-devel i586 0.9.7a-43.10 base 1.6 M

---

What the **** is this? What kind of repo is CentOS using here...? The 2003 openssl version came straight out of Redhat 9, so this is just great.
 

eXite

Well-Known Member
May 16, 2003
50
2
158
cPanel Access Level
DataCenter Provider
Well I'm able to skip the openssl updating process by adding it to the exclude list in /etc/yum.conf, but still, it's rediculous that everybody is still using some ancient version by default...
 

Bdzzld

Well-Known Member
Apr 3, 2004
410
5
168
Hi Domenico,

I've read about this subject too on the Dutch WHT (I've another nick there).
Have you personally tried to "hack" into your own cPanel server without using a root password ? I believe cPanel is using an altered version of OpenSSL.

Regards.
 

driverC

Well-Known Member
Jul 23, 2004
112
0
166
On Red Hat distributions like Fedora, CentOS or Red Hat Enterprise the OpenSSL version number is not correct. That is because Red Hat is using a custom version of OpenSSL. Eventhough it appears to be old and insecure it is a new and safe version. If you update it manually you will **** things up and you may break dependencies. Red Hat doesn`t like custom versions of OpenSSL at all. For example after I did update OpenSSL manually attampts to update Apache failed completely. I had to copy the openssl file from another Red Hat server and add it to the new server. So I think/hope you can forget about OpenSSL not beeing safe. It is just because Red Hat distributions are using their own version of OpenSSL with an incorrent old version number as far as I understand it.
 
Last edited:

jamesbond

Well-Known Member
Oct 9, 2002
738
1
168
I don't think this has anything to with CPanel, openssl is updated by the OS.

I tried to update openssl with yum to openssl-0.9.7a-43.11 (the latest version it seems) on CentOS 4.3 and 4.4, but it says it has nothing to update.
 

Domenico

Well-Known Member
Aug 14, 2001
378
12
318
We know this has nothing to do with cPanel but all of our cPanel boxes have the same 'old' version;

openssl version
OpenSSL 0.9.7a Feb 19 2003

Upgrading to the latest version has no use since the daily cPanel update proces puts the old version back.

Can someone from the cPanel team please react? Nick?
 

eXite

Well-Known Member
May 16, 2003
50
2
158
cPanel Access Level
DataCenter Provider
Domenico said:
We know this has nothing to do with cPanel but all of our cPanel boxes have the same 'old' version;

openssl version
OpenSSL 0.9.7a Feb 19 2003

Upgrading to the latest version has no use since the daily cPanel update proces puts the old version back.

Can someone from the cPanel team please react? Nick?
Open /etc/yum.conf and add "OpenSSL*" to the exclude list. Then manually compile the new openssl version and you're good to go.
 

eXite

Well-Known Member
May 16, 2003
50
2
158
cPanel Access Level
DataCenter Provider
Wel nothing is corrupted here:

# openssl version
OpenSSL 0.9.8c 05 Sep 2006

# rpm -qa | grep openssl
openssl-0.9.7a-43.10

43.10, what the hell is that supposed to mean. How am I supposed to know how the patchlevel reflects vulnerability?
 

jamesbond

Well-Known Member
Oct 9, 2002
738
1
168
eXite said:
43.10, what the hell is that supposed to mean. How am I supposed to know how the patchlevel reflects vulnerability?
By reading the release info maybe and looking at the release date? I gave you a link to the centos archive, all the info you need is there. Ofcourse if you prefer to manually compile and update all your software then you're free to do so...
 

Domenico

Well-Known Member
Aug 14, 2001
378
12
318

teakwood

Active Member
Jul 8, 2006
26
0
151
Sydney
Domenico said:
~$ ssh [email protected]/ip -p22 -i id_dsa_badcert
That's your theory, I asked you to come and prove it. :D

Have you done it, or have you seen it done?

(Even if your imaginary attack worked, that line won't work against my servers anyway . . . :) )

I note yum has already updated OpenSSL on my CentOS 3 boxes, but not the CentOS 4 ones yet.

I don't see how cPanel has anything to do with the issue, you should be hitting the forums of your OS supplier.
 

mctDarren

Well-Known Member
Jan 6, 2004
665
4
168
New Jersey
cPanel Access Level
Root Administrator
This is a known exploit that is mentioned on the OpenSSL website:

opensssl.org said:
If an RSA key with exponent 3 is used it may be possible
to forge a PKCS #1 v1.5 signature signed by that key. Implementations
may incorrectly verify the certificate if they are not checking for
excess data in the RSA exponentiation result of the signature.

Since there are CAs using exponent 3 in wide use, and PKCS #1 v1.5 is
used in X.509 certificates, all software that uses OpenSSL to verify
X.509 certificates is potentially vulnerable, as well as any other use
of PKCS #1 v1.5. This includes software that uses OpenSSL for SSL or
TLS.

OpenSSL versions up to 0.9.7j and 0.9.8b are affected.
I sent out to my customers, should work for you too in RHEL/CentOS Env:
sent to my users said:
1. Login as root and enter these commands:
2. cd /usr/local/src at shell prompt.
3. rm -rf openssl*
4. wget http://www.openssl.org/source/openssl-0.9.8c.tar.gz
5. tar -zxvf openssl-0.9.8c.tar.gz
6. cd openssl*
7. ./config
8. make
9. make install

When it's done installing, do
openssl version
and make sure that your output is
OpenSSL 0.9.8c Sep 2006.
If not, contact support or log a ticket on the site.

Now we need to restart Apache and make sure that mod_ssl is using the latest version.
Do
/usr/local/apache/bin/apachectl stop
then
/usr/local/apache/bin/apachectl startssl.

Check to make sure your SSL on Apache is working on a site using an SSL certificate. NOT WHM or the cPanel PAGES.

::Added::
Now we need to add OpenSSL to the exclude list in yum.conf so that it doesn't get overwritten by the OS update during the nightly cPanel update:
1. Do
cd /etc

2. We need to edit yum.conf, do
pico yum.conf
or use your fav editor.

3. Change the "exclude=" line so that it has openssl* at the end. Don't forget there needs to be a space between each option on that line and include that asterik (*) on the end as well.

3a (added). You could also add mod_ssl to the exclude list if not their already, just in case this also causes an update of both.

4. Save and exit the editor, hit Ctrl-X and Y for pico users.
I believe that will protect against the exploit and keep it from reverting back to the older version...
 

teakwood

Active Member
Jul 8, 2006
26
0
151
Sydney
Can anyone tell me exactly how this bug can be used to attack a server?

Don't tell me what you've read. Don't tell me what your guess is. Tell me something you know.
 

mctDarren

Well-Known Member
Jan 6, 2004
665
4
168
New Jersey
cPanel Access Level
Root Administrator
Lol, "don't tell me what you've read"? I think most people have only read about this and haven't seen it used or tried to break in to a system using it. What's the hostility about with this issue? ;)

Openssl patched things because they were shown how a spoofed RSA gave someone root access to a server that was running the old version. Of course if you still use a root login to access your server then you should be perfectly fine. But if you're using Identity/Pubkey access it's disasterous. It means anyone using a spoofed key can access your server. My understanding is that it only works with keys with exponents of 3. But why bother taking a chance when you can upgrade without much trouble and avoid what might be a bad situation?

Anyway, people are right that this has nothing to do with cPanel other then the fact that on nightly update the /scripts/sysup run will probably overwrite your custom compile of the latest version with the patched version provided by your OS repos.