cPanel Security Team: Heartbleed Vulnerability
Heartbleed is a serious vulnerability in OpenSSL 1.0.1 through 1.0.1f.
This vulnerability allows an attacker to read 64 kilobyte chunks of memory from from servers and clients that connect using SSL through a flaw in the OpenSSL’s implementation of the heartbeat extension.
What does this mean for cPanel servers?
cPanel & WHM does not provide any copies of the OpenSSL library. The daemons and applications shipped with cPanel & WHM link to the version of OpenSSL provided by the core operating system. RedHat 6, CentOS 6, and CloudLinux 6 provided vulnerable versions of OpenSSL 1.0.1. All three distros have published patched versions of their OpenSSL 1.0.1 RPMs to their mirrors. To update any affected servers, run “yum update” to install the patched version of OpenSSL and restart all SSL-enabled services or reboot the system.
You can ensure you are updated by running the following command:
# rpm -q --changelog openssl | grep -B 1 CVE-2014-0160 * Mon Apr 07 2014 Tomáš Mráz 1.0.1e-16.7 - fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
You should see the information noting the fix to CVE-2014-0160.
RHEL/CentOS 5 servers, which are using the OpenSSL 0.9.8 RPM included in the official OS repositories, are not vulnerable to the Heartbleed issue since they are using an older version of OpenSSL that never contained this vulnerability.
What steps do I need to take as an Admin/root of our servers running cPanel & WHM?
Once the RPM of OpenSSL has been updated you should reset all certificates via the Manage Service SSL Certificates interface in WHM.
Home » Service Configuration » Manage Service SSL Certificates
You will need to click the ‘Reset Certificate’ link for each service: FTP, Exim, cPanel/WHM/Webmail Service, and Dovecot or Courier Mail Server.
You should also check the SSL certificates in the Manage SSL Hosts interface of WHM.
Home » SSL/TLS » Manage SSL Hosts
Many Certificate Authorities are helping their customers regenerate SSL certificates at no cost. This may vary and your Certificate Authority should be contacted prior to any actions to ensure the proper procedures are followed.
Do we need to reset our passwords and regenerate our private and public keys on the server?
Due to the nature of the vulnerability it is impossible to know what other information, including private keys, passwords, and session ID’s, has been compromised. The attack occurs before a full connection to your server has been made, leaving no indications in any logs that an attack has occurred. It is recommended that you regenerate all SSH keys and reset all passwords across the server.