How to Keep OpenSSL Updated in an Enterprise Environment

Outdated systems can leave us vulnerable to bad actors. Zero-day exploits are common with just about every system that exists. If we do not upgrade regularly, we leave ourselves at the mercy of black-hat hackers who regularly take advantage of any out-of-date application they can find. This is equally true with OpenSSL as with anything else.

The well-known Heartbleed bug allows malicious hackers to steal information that would normally be protected by solid SSL encryption. While it has predominantly impacted Apache HTTPd, it has also affected other systems, including Nginx, Tomcat, and many more.

Unfortunately, many organisations lag in keeping their OpenSSL up to date. The work involved is often considered to be timely and costly for many operations. However, to not act can be even more expensive. 

Example OpenSSL Vulnerabilities

Example vulnerabilities with OpenSSL include the Heartbleed bug mentioned above, but also several other recent vulnerabilities.

The Raccoon attack takes advantage of a flaw in the TLS specification, which allows attackers to be able to eavesdrop on encrypted communications. This particular attack is associated with OpenSSL version 1.0.2.

Applications or servers that call the SSL_check_chain function during TLS handshakes can result in the server crashing as a result of incorrect handling of signature algorithm certifications. This issue is associated with SSL 1.1.1d-f. It has been fixed in later versions.

There are, of course, many other vulnerabilities to unpatched OpenSSL, documented here. For this and these other reasons, it makes sense to keep the application up-to-date and patched.

How to tell if your copy of OpenSSL is outdated

As a basic rule, if you are running any version other than the most recent version of OpenSSL, you are likely out of date. The first thing you will want to do is to find out what the most current version is. You can do so here.

The next thing you will want to do is to find out what version you are running. You can simply run the below command; this will work on all major operating systems.

openssl version

Another helpful method is to simply scan your systems with KernelCare’s UChecker tool, which will provide you with a list of all unpatched systems, including the process id and name. You can run this command using the below command-line.

curl -s -L https://kernelcare.com/uchecker | python

How to Update OpenSSL

If you have determined that the version you are running is not the most recent version on any of your services, you will need to perform an upgrade. There are several ways of doing this.

Package Manager

The easiest way to handle this in *NIX distros is to use the built-in package manager. The method for doing this will vary depending on the distro you are using. If you are using a RedHat system, the first step will be to bring up the current update lists for this distribution by typing:

sudo dnf update

After you have completed this, you will need to run the following command:

sudo dnf upgrade openssl 

If you are running a system which does not use dnf (say, Ubuntu) replace

dnf

yum.

If you intend to compile this with third-party applications, especially for those that have not already been installed, you will likely want to use:

sudo dnf upgrade openssl-devel openssl-libs 

After you have completed this, you will need to restart any other dependent services, to ensure that the new version of the OpenSSL libraries is correctly applied. One thing that will need to be considered is that any service that you take down and restart will become temporarily unavailable while you perform this upgrade. This is especially important for any web services that you are running, which could mean some temporary unavailability of these resources while the upgrade occurs. You may wish to time this update at a period of low usage.

Compile Your Own

Occasionally the distribution you are using may not have an up-to-date package available, and your security concerns may require that you immediately upgrade OpenSSL as soon as a new version is available. This is, of course, a right course of action considering the risk of zero-day exploits.

To do this manually, you will want to make sure you have the most updated tools by using the following commands:

sudo dnf update 

sudo dnf group install ‘Development Tools’ 

sudo dnf install perl-core zlib-devel

The next step will involve getting the source code directly from openssl.org, by using the below command:

sudo wget https://www.openssl.org/source/openssl-1.1.1h.tar.gz  

Important note:  This is the most recent version at the time of this article; you will wish to check and change the version to the most current version before you go ahead and download it. 

Once this is complete, you will need to de-compress your tarball, by using the following command (again, make sure you change this to the version you downloaded):

tar –xvzf openssl-1.1.1h.tar.gz

The above command will create a new directory, named for the version you just opened. 

cd

sudo ./config 

sudo make

This will take a little while. Once the file has been created, you will want to use the results and compile a new package using the following:

make DESTDIR=/tmp/packaged-openssl install

From this point, you can then install it as a package as described in the package manager section.    

How to Update OpenSSL without a Service Restart or Server Reboot

You may find yourself frustrated with the amount of time and resources you need to dedicate to this process. It is also easy to forget to handle as soon as new patches become available. However, there’s good news:  the easiest way to make sure your OpenSSL libraries are up to date is to use live patching. Using a service like KernelCare+ will enable you to update all of your essential libraries while they are still running, so there is no need to take them down or interrupt any of your existing services.

All you need to do if you are using this service is to simply sign up for a subscription, install the provided agent, and there is no need to worry about it at all. Instead of worrying about making sure that you have covered every system, everything is handled for you. KernelCare can either be hosted locally or be managed remotely through the cloud.  Try KernelCare+ for free!

Conclusion

Keeping your OpenSSL up to date is important to protect you against the well-known Heartbleed bug, as well as many other potential vulnerabilities. No matter which method you choose, it is essential to remain vigilant, quite simply because of the vast number of bad actors waiting to take advantage of any zero-day exploits in this service.  Whether you handle this manually yourself or use a live patching mechanism, always make sure you are patched and up-to-date.