WordPress site owners have been hit hard this week with a double security whammy including the announcement of a vulnerability in the server OpenSSL system called “Heartbleed” and an exploit in the commonly used JetPack plugin.
OpenSSL Heartbleed Vulnerability
A vulnerability in the OpenSSL library was disclosed on Monday 7th April 2014 in what has been called one of the worst security holes in the Internet in recent history.
The OpenSSL library is used by the Apache and NGINX web servers which power the majority of the Interwebs sites which deliver secure content (HTTPS).
The bug, nicknamed “Heartbleed”, allows an attacker to read the first 64K of server system memory on any servers which have the vulnerability. This could be used to read data such as username, passwords and SSL certificate details.
This neat cartoon by xkcd explains the issue well.
You should consider any SSL certificates to be compromised and you’ll need to revoke and reissue those certificates.
The bug has been present in OpenSSL since version 1.01 issued in March 2012 and has been successfully patched in version 1.0.1g which was released on April 7th, 2014.
You can read more about the problem, tagged CVE-2014-0160, on the National Vulnerability Database.
What Does This Mean To You?
If you’re website doesn’t use SSL (HTTPS) then there’s not a lot for you to worry about.
If you’re on shared hosting then you won’t have access to your site’s servers. In this case you should contact your hosting provider and ensure they have patched their servers.
For everyone else, you’ll need to update the OpenSSL library on all your servers.
Updating OpenSSL on CentOS 6
We use CentOS for our VPS’ so here’s a quick guide to updating OpenSSL on those machines. If you’re running something other than CentOS, you’ll have to search on how to apply the patch for your particular machine(s).
SSH into your VPS and confirm the version of OpenSSL using the following command
openssl version -aYou’ll get something similar to this:
[pastacode lang=”bash” manual=”OpenSSL%201.0.1e-fips%2011%20Feb%202013%0Abuilt%20on%3A%20Tue%20Apr%208%2002%3A39%3A29%20UTC%202014%0Aplatform%3A%20linux-x86_64%0Aoptions%3A%20bn(64%2C64)%20md2(int)%20rc4(16x%2Cint)%20des(idx%2Ccisc%2C16%2Cint)%20idea(int)%20blowfish(idx)%0Acompiler%3A%20gcc%20-fPIC%20-DOPENSSL_PIC%20-DZLIB%20-DOPENSSL_THREADS%20-D_REENTRANT%20-DDSO_DLFCN%20-DHAVE_DLFCN_H%20-DKRB5_MIT%20-m64%20-DL_ENDIAN%20-DTERMIO%20-Wall%20-O2%20-g%20-pipe%20-Wall%20-Wp%2C-D_FORTIFY_SOURCE%3D2%20-fexceptions%20-fstack-protector%20–param%3Dssp-buffer-size%3D4%20-m64%20-mtune%3Dgeneric%20-Wa%2C–noexecstack%20-DPURIFY%20-DOPENSSL_IA32_SSE2%20-DOPENSSL_BN_ASM_MONT%20-DOPENSSL_BN_ASM_MONT5%20-DOPENSSL_BN_ASM_GF2m%20-DSHA1_ASM%20-DSHA256_ASM%20-DSHA512_ASM%20-DMD5_ASM%20-DAES_ASM%20-DVPAES_ASM%20-DBSAES_ASM%20-DWHIRLPOOL_ASM%20-DGHASH_ASM%0AOPENSSLDIR%3A%20%22%2Fetc%2Fpki%2Ftls%22%0Aengines%3A%20dynamic” message=”” highlight=”” provider=”manual”/]
Pay close attention to the “built on” date. Any builds prior to April 7th, 2014 need to be patched.
To update your system simply use the following command:
yum updateCentOS will download all the new OS updates including the OpenSSL patch.
It’s also recommended that you perform a reboot to clear your machine’s memory.
sudo shutdown -r nowYou can test to see if your machine has been successfully patched using this website.
Note: please only use this test on servers you own. It could be considered a criminal offence if you try to run the exploit against machines you do not own.
Revoking and Reissuing your SSL Certificates and Keys
OK – so you’ve patched the machine and OpenSSL is secure again. However, as the exploit has been around for a year, you should consider that your SSL certs/keys could have been compromised at any point during that year.
If you’ve purchased SSL certificates from a provider and now patched your OpenSSL, best practice deems that you revoke and reissue all certs. This is called “rekeying”.
The method for rekeying will likely be dependant on your SSL issuer but it should be a relatively simple process.
You’ll need to generate a CSR from WHM in order for the issuer to rekey your certificate. Navigate to SSL / TLS > Generate an SSL Certificate and Signing Request and follow the instructions.
The CSR will have the following format:
—–BEGIN CERTIFICATE REQUEST—–
MIIByjCCATMCAQAwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMR8w
HQYDVQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRcwFQYDVQQDEw53d3cuZ29v
Z2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApZtYJCHJ4VpVXHfV
IlstQTlO4qC03hjX+ZkPyvdYd1Q4+qbAeTwXmCUKYHThVRd5aXSqlPzyIBwieMZr
WFlRQddZ1IzXAlVRDWwAo60KecqeAXnnUK+5fXoTI/UgWshre8tJ+x/TMHaQKR/J
cIWPhqaQhsJuzZbvAdGA80BLxdMCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAIhl
4PvFq+e7ipARgI5ZM+GZx6mpCz44DTo0JkwfRDf+BtrsaC0q68eTf2XhYOsq4fkH
Q0uA0aVog3f5iJxCa3Hp5gxbJQ6zV6kJ0TEsuaaOhEko9sdpCoPOnRBm2i/XRD2D
6iNh8f8z0ShGsFqjDgFHyF3o+lUyj+UC6H1QW7bn
—–END CERTIFICATE REQUEST—–
Some issuers may not generate the SSL cert straight away, so you’ll have to keep an eye out for it arriving by email.
Once you receive the rekeyed SSL certificate, install it on your server/domain and then remember to restart the web server.
If you want to be ultras secure, change all your system passwords too; cPanel, ftp and email.
httpd restartJetPack Exploit
Second on our list of patches is to the JetPack plugin.
This is a particularly nasty bug and again it’s been around since 2012 and only just noticed! It allows attackers to publish posts on your site.
The team released a statement on the Jetpack blog.
During an internal security audit, we found a bug that allows an attacker to bypass a site’s access controls and publish posts. This vulnerability could be combined with other attacks to escalate access. This bug has existed since Jetpack 1.9, released in October 2012.
It’s an easy fix. Just update the JetPack plugin to the current patched version (2.9.3 at time of this post).
The JetPack team are proactively trying to apply the patches using the new automatic updater tech which was introduced in WordPress 3.7+
Want to keep your WordPress website secure? Read up on our WordPress Security Best Practices.