Which OpenSSL are you running? [LWN.net]

OpenSSL is a well-advanced project developing a free implementation of the Secure Socket Layer and Transport Layer Security protocols. The OpenSSL code can be used in many contexts, but the most prominent use is almost certainly in web servers which need to offer the "https" protocol. When you (hint...) type your credit card number at LWN.net, the OpenSSL code ensures that said number cannot be captured by eavesdroppers lurking between your browser and our server. OpenSSL is, in other words, a critical part of the net's infrastructure.

The central role played by OpenSSL makes any security vulnerabilities in that package especially frightening. The software is widely deployed and exposed directly to the net, so holes can open up large numbers of systems to compromise. Sites using OpenSSL are also relatively likely to have something worth protecting, and are thus also relatively likely to be targets for certain types of crackers.

One would thus think that administrators of sites running OpenSSL would tend to stay current on their security updates. According to a survey run by Netcraft, however, one would be wrong. Netcraft looked at the advertised OpenSSL versions running on just over 50,000 web sites. Fully half of those sites were running version 0.9.6d (or earlier), which has vulnerabilities that are fully exploitable by a remote attacker. Only 1,356 out of 50,891 sites were running versions 0.9.6k or 0.9.7c, which were, at the time, free of known vulnerabilities (a vulnerability has since been found which can lead to crashes on Windows platforms). OpenSSL users, it would seem, have not been keeping up with their patches.

As Netcraft acknowledges, the above results are overly pessimistic. Security updates provided by distributors usually just backport the fix for the specific problem(s) to the (older) version of the software that was originally included in the distribution. So numerous sites which appear (to the outside) to be running vulnerable software are, in fact, up to date. Netcraft could have improved its numbers by seeing if an actual exploit worked on each system tested, but that approach to data collection has practical problems of its own.

The bottom line, however, is that there are certainly many vulnerable sites out there. The fact that widespread exploits have not happened suggests that the net is not quite as scary a place as it is sometimes made out to be. But, sooner or later, an opening of this magnitude will certainly be exploited. Whether it is used for some sort of unpleasant worm or for a credit card scam doesn't really matter. Either way, it will impair the trust in Linux, Apache, and network commerce in general. And it is entirely avoidable.

If you have systems running older versions of OpenSSL, it is past time to update them. The LWN vulnerability entry will point you at the relevant distributor updates.

to post comments

Which OpenSSL are you running?

Posted Nov 6, 2003 0:58 UTC (Thu) by smoogen (subscriber, #97) [Link]

The main problem with going with the latest and greatest OpenSSL libraries is that ABI/API and other changes occur. The OpenSSL developers have stated that they do not see a need to stabilize these until they reach a 1.0 release. [This is actually a blessing for them, though a nightmare for some distributors.]

This requires a lot of work with all the code that might call them to use the newer syntax or other changes. These changes are why most vendors just backport fixes than goto the latest version.

Debian instructions

Posted Nov 6, 2003 7:50 UTC (Thu) by error27 (subscriber, #8346) [Link]

512~.$ dpkg -s openssl | grep -i version
Version: 0.9.7c-5
513~.$

Netcraft numbers might be to pessimistic

Posted Nov 6, 2003 9:22 UTC (Thu) by kunitz (subscriber, #3965) [Link]

Netcraft collects the version number, that Apache reports, which is the version of openssl used during compile time. A simple update of the openssl shared libs and forcing the load of the new libs via ld.so.conf, doesn't change the reported version number. However one can verify with procfs, that the new shared libs are mapped indeed. So Netcrafts number might be to pessimistic.

The shared lib interface seems to be stable during the minor number series (0.9.6 and 0.9.7).

Which OpenSSL are you running?

Posted Nov 6, 2003 12:49 UTC (Thu) by lacostej (guest, #2760) [Link] (3 responses)

And what about backporting? How come this not being mentionned anywhere?

Linux distribution almost always backport, instead of upgrade to latest. We are not in the Microsoft (and other private companies) world here. Fixing a security bug does not force you to get a bunch of new features.

jerome@debian Woody> dpkg -l openssl
ii openssl 0.9.6c-2.woody.4 [...]

jerome@mandrake 9.2> rpm -q openssl
openssl-0.9.7a-1.2.91mdk

Does that mean that mandrake 9.1 and Debian Woody are vulnerable? No (at least to known vulnerabilities). But these 2 machines would (and perhaps have been) counted in the results of the NetCraft survey.
This article oversights a big FEATURE of open source. People HAVE the source code. The number may NOT reflect what you think the software is!!

I really think that somebody should make NetCraft write an errata on this survey before it gets used as FUD by proponent of closed source software. For example: someone could come up and say: "Open Source doesn't provide automated upgrade, otherwise these machines would be up to date with their security. Because of our automated upgrade, present on our new systems, you will never have to fear this kind of situations. bla bla bla lab lud fud fud fud"

So whose job is to make that request? I think it should be people from the Linux distributions.

Jerome

Which OpenSSL are you running?

Posted Nov 6, 2003 15:12 UTC (Thu) by bchapman26 (guest, #4565) [Link] (1 responses)

And what about backporting? How come this not being mentionned anywhere?

May I suggest you re-read the article? It might have saved you the
embarrassment of complaining about something that is already in the
article.

Which OpenSSL are you running?

Posted Nov 7, 2003 9:04 UTC (Fri) by lacostej (guest, #2760) [Link]

"May I suggest you re-read the article? It might have saved you the
embarrassment of complaining about something that is already in the
article"

It's in the LWN article not in the Netcraft's article. I just wanted to underline a point. The comment was perhaps not very inline with the LWN article; it was taken from a letter I sent to the Netcraft's author.

Sorry for not reformatting my thinking correctly and making a stupid copy/paste mistake.

But my main concern in my comments still applies: Netcraft should probably update their article to mention it.

Which OpenSSL are you running?

Posted Nov 7, 2003 1:53 UTC (Fri) by iabervon (subscriber, #722) [Link]

Actually, I think it would be best if versions of OpenSSL with backported
patches got some sort of extra bit in their version string (as reported
by Apache) to report the fixes. It could even be something like "openssl
0.9.6c/0.9.6k" to report that it was the 0.9.6c API with security patches
to match 0.9.6k. That way, users could easily relate a vulnerability
report from the OpenSSL people to the version they have installed.

Of course, as someone else has mentioned, Apache doesn't actually check
the runtime version of OpenSSL. But at least the user could determine
what issues apply when logged in.

Re: Which OpenSSL are you running?

Posted Nov 6, 2003 20:52 UTC (Thu) by X-Nc (guest, #1661) [Link]

> (a vulnerability has since been found which can
> lead to crashes on Windows platforms)

Hmmm... This sounds like a good "feature enhancement" addition to me. >:-)

A Sane Setup of Public Internet Services

Posted Nov 7, 2003 6:43 UTC (Fri) by stock (guest, #5849) [Link]

If i install a server from which eg. ftp, http, ssh, and bind are to be
accessable from the internet, i always remove the corresponding RPM or
.deb packages, and instead proceed to a manual build with my own choice
of self-compiled compiler version and ftp/http/ssh/bind version.

That has a couple of important advantages :

1. my server will never be vulnerable to a massive internet worm
alike attack. Why? Such worms only contain prepackaged exploits
which in practice only succesfully act upon the vendors supplied
RPM and .deb packages.

2. Because one operates from a source tree, all new vulnerabilities
can be solved by applying the patches on the sourcetree level. Next
recompile the new source tree with your custom built compiler version.
At the same time the possibility exists to avoid that total insane
upgrade to a whole new branch of the vulnerable package, thus
avoiding increased risks for possible new unknown exploits.

A good pointer to proceed is e.g. the Apache Compile HOWTO at
http://www.delouw.ch/linux/apache.phtml . Packages as wu-ftpd named
and openssl/openssh are not that hard to build and maintain from source.

Robert

Note on OpenSSH

Posted Nov 7, 2003 14:55 UTC (Fri) by bjn (guest, #2179) [Link]

I confirmed with the developers of OpenSSH that as of OpenSSH 3.5, it no longer uses the
OpenSSL ASN.1 code (it has its own parser now). So if you upgrade OpenSSH you can avoid
this SSL bug for that service, at least.

Time for an alternative, right?

Posted Nov 7, 2003 17:48 UTC (Fri) by mmutz (guest, #5642) [Link]

Just as the sendmail monoculture was a plague, the OpenSSL one is. We now have a lot
of good MTAs, but we lack a serious OpenSSL alternative. gnutls might be close, but it
lacks SSLv2 support. But for servers, at least, that's not an issue.

Let's hope the GNUTLS guys soon get something going that can supersede OpenSSL's
license and vulnerability problems. :-)

Eric Rescola's paper has better statistics

Posted Nov 13, 2003 13:49 UTC (Thu) by jorton (guest, #268) [Link]

Eric Rescorla wrote a paper about CAN-2002-0656, the vulnerability which is the "0.9.6d and earlier" row in Netcraft's table, and actually researched how servers were being patched to fix this by testing the overflow (in a non-destructive manner!) rather than relying on version numbers. http://www.rtfm.com/upgrade.html

Rescorla found that 35% of a sample a 890 hosts were actually vulnerable to CAN-2002-0656 by mid-October 2002.