OpenSSL Security Advisory [5th September 2006]

Domenico

Well-Known Member
Aug 14, 2001
378
13
318
webtiva said:
Anyway, people are right that this has nothing to do with cPanel other then the fact that on nightly update the /scripts/sysup run will probably overwrite your custom compile of the latest version with the patched version provided by your OS repos.
I won't even react on some childisch comments and I certainly don't have to prove anything. Please keep your head in the sand ans keep quiet. Thank you! The proof you want is in the patch brought out! There is no need people like you know how to do this anyways. :D

Webtive, that's exactly my point. We are not stupid and know cPanel has nothing to do with it but since cPanel is hooked pretty tied with the OS upgrading it as you please will allmost certainly break it (many stories on the net about this) so that's why I ask here about it.

I think cPanel needs to do something about this too or else stop breaking after people upgrade the OS themselves. You can't have both obviously.
 

mctDarren

Well-Known Member
Jan 6, 2004
662
6
168
New Jersey
cPanel Access Level
Root Administrator
Not saying anyone is stupid, wow - this thread is touchy for no reason. :D

The problem is that the only thing cPanel could do is advise you about it. They have nothing to fix. I certainly don't want them messing with my OS update configuration.

Anyway, didnt mean to offend anyone. Upgrade, don't, good luck either way!
 

teakwood

Active Member
Jul 8, 2006
26
0
151
Sydney
webtiva said:
Openssl patched things because they were shown how a spoofed RSA gave someone root access to a server that was running the old version.
No, no one showed any such thing. They patched it because Daniel Bleichenbacher described how it would be possible to forge signatures signed by RSA keys with the exponent of 3.

Here's some other useful tidbits from the advisories:

Because some CAs have exponent 3 in wide circulation, "all software that uses OpenSSL to verify X.509 certificates is potentially vulnerable"

Otherwise, "RSA keys with exponent 3 are not in common use".

Of course if you still use a root login to access your server then you should be perfectly fine. But if you're using Identity/Pubkey access it's disasterous.
What I'm looking for is someone to show me the relationship between X.509 certificates and key-based access. Or the relationship between SSL and SSH. There's a lot of assumptions being made, I'd like to know the reality. :)
 

Bdzzld

Well-Known Member
Apr 3, 2004
412
5
168
Hi,

My cPanel servers were automatically upgraded by upcp to version 0.9.7.a-43.11 tonight, which seems to have solved the vulnerability.

Code:
[email protected] [~]# rpm -qa openssl
openssl-0.9.7a-43.11
openssl-0.9.7a-43.11
(double values because they're x86_64)

Regards.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,453
31
473
Go on, have a guess
As webtiva has been saying - this has nothing to do with cPanel and isn't their responsibility to do anything. If you're on a supported OS then openssl has been patched by now (i.e. RHE, CentOS). If you're on an unsupported OS (e.g. anything less than FC5 or older than RHEv3) then you'll have to either look for a patched openssl rpm from FedoraLegacy or update from source. That's your responsibility as (1) the server administrator, and (2) for running an old unsupported OS.
 

netlook

Well-Known Member
Mar 25, 2004
334
0
166
Bdzzld said:
Hi,

My cPanel servers were automatically upgraded by upcp to version 0.9.7.a-43.11 tonight, which seems to have solved the vulnerability.

Code:
[email protected] [~]# rpm -qa openssl
openssl-0.9.7a-43.11
openssl-0.9.7a-43.11
(double values because they're x86_64)

Regards.

How do you know that openssl-0.9.7a-43.11 is safe?
 

mctDarren

Well-Known Member
Jan 6, 2004
662
6
168
New Jersey
cPanel Access Level
Root Administrator
teakwood said:
What I'm looking for is someone to show me the relationship between X.509 certificates and key-based access. Or the relationship between SSL and SSH. There's a lot of assumptions being made, I'd like to know the reality. :)
I would have sworn I had read where someone had done so. Going back, I see now that at the end of the advisory from openssl.org they thank a couple of people who "successfully forged various certificates, showing OpenSSL was vulnerable", so you're right - I read that and made the assumption.
 

eXite

Well-Known Member
May 16, 2003
50
2
158
cPanel Access Level
DataCenter Provider
I've actually done so. I got my hands on the certificate mentioned in the post by domenico and was able to login to three random servers. This is serious, and what makes it so serious is the fact that anyone with a screen and a keyboard is able to crack your systems in an instant.
 

Bdzzld

Well-Known Member
Apr 3, 2004
412
5
168
Hi eXite,

Did you upgrade OpenSSL to openssl-0.9.7a-43.11 and were the attempts still succesfull afterwards?

Regards.
 

teddyb

Active Member
Jul 9, 2006
30
0
156
webtiva said:
This is a known exploit that is mentioned on the OpenSSL website:



I sent out to my customers, should work for you too in RHEL/CentOS Env:


I believe that will protect against the exploit and keep it from reverting back to the older version...
I dont think this is advisable and Ill tell you why. A few years ago we updated OpenSSL manually based on a post at the EV1 forums. The upgrade was successful however when we went to upgrade Apache a few weeks later we found that the upgrade to Apache failed miserably and prevented us from upgrading Apache released by Cpanel.

We ended up having to undo the OpenSSL installation in order to upgrade Apache. Once we did that the upgrade via easyapache completed successfully.

So if your doing a manual update, you should make sure that your listed upgrade for OpenSSL lets you upgrade Apache using easyapache when the next one is available.

With that said, what is cpanel doing about this? Are they doing something to include a OpenSSL upgrade or are they just going to let this issue drag on? Also you mentioned yum. What about up2date? How does the exclude list work with up2date?
 
Last edited:

teddyb

Active Member
Jul 9, 2006
30
0
156
What is the word on this from Cpanel? Have they upgraded OpenSSL for easyapache yet? :rolleyes:
 

teakwood

Active Member
Jul 8, 2006
26
0
151
Sydney
teddyb said:
What is the word on this from Cpanel? Have they upgraded OpenSSL for easyapache yet? :rolleyes:
Upgrading OpenSSL is an OS issue, not a cPanel issue.

My CentOS 3 and 4 machines all updated as soon as CentOS released their patch.
 

teddyb

Active Member
Jul 9, 2006
30
0
156
teakwood said:
Upgrading OpenSSL is an OS issue, not a cPanel issue.

My CentOS 3 and 4 machines all updated as soon as CentOS released their patch.
Yes i know that, but did you read my previous message? Upgrading OpenSSL will render your upgrade to the next Apache version, whatever RH released say 1.3.9, useless. Just watch and see.
 

mctDarren

Well-Known Member
Jan 6, 2004
662
6
168
New Jersey
cPanel Access Level
Root Administrator
teddyb said:
So if your doing a manual update, you should make sure that your listed upgrade for OpenSSL lets you upgrade Apache using easyapache when the next one is available.
Thanks for the heads up on this - will watch for this problem. :D

As an aside, as teakwood said, the version provided by CentOS might not show a new version number but it is patched against the problem. Not that hard to remove and install the CentOS RPM before re-compiling Apache. (Especially for those of us that do it without easyapache anyway) :)