3

I am running a server with CentOS 6.5, patched to recent openssl updates via yum update ssl and with indications the current version indeed has the patch to the vulnerability.

$ sudo rpm -q --changelog openssl | grep CVE-2014-0224
- fix CVE-2014-0224 fix that broke EAP-FAST session resumption support
- fix CVE-2014-0224 - SSL/TLS MITM vulnerability

However, a SSLTest scan and Nessus indicate that I'm still vulnerable

This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable. Grade set to F.

I'm at a loss - should I trust SSLTest and Nessus or the Centos distro and rpm flag?

Note: we always restart all relevant services after patches.

schroeder
  • 123,438
  • 55
  • 284
  • 319
user3546411
  • 131
  • 1
  • 2
    is there a load balancer or any other system between qualys and your patched server that might be causing the finding? redirected ports? – schroeder Mar 07 '15 at 06:14
  • 1
    In addition to checking the items @schroeder mentioned, do you possibly have a service using a statically linked version of OpenSSL, rather than the OS version? – Xander Mar 07 '15 at 14:15
  • @Xander - I have verified all openssl libraries are patched. Both nessus and ssllabs, however, report we are vulnerable. – user3546411 Jul 04 '15 at 22:18
  • @schroeder nope - the server I am referring to is the front end that gets hit first. – user3546411 Jul 04 '15 at 22:19

1 Answers1

1

If openssl was patched recently and you have not restarted all services which are using libssl you may have to reboot your machine in order to complete the openssl patching.

By running following command you can see what services are using libssl: 

lsof | grep -i libssl | grep DEL | awk '{print $1}' | sort | uniq
Jens Erat
  • 23,446
  • 12
  • 72
  • 96
Vadim Sluzky
  • 119
  • 2