CloudLinux offers extended support until 2024 to keep your CentOS 6 servers secure from a new OpenSSL Vulnerability.
OpenSSL recently released a security patch for a high-level finding that affects any servers running 1.0.2 and 1.1.1 versions. Unfortunately, OpenSSL announced that it would not release patches for CentOS 6, only CentOS 7 and CentOS 8. This leaves any server running unpatched OpenSSL including the CentOS 6 operating system vulnerable to denial-of-service (DoS) where software, critical services, or the operating system could crash. CloudLinux, however, will patch current versions of OpenSSL, the unsupported 1.0.1 version, and servers running the CentOS 6 operating system.
Table of Contents
Vulnerability Details for CVE-2020-1971
OpenSSL has a function named GENERAL_NAME_cmp()
that compares two parameters and performs the following two actions:
- Compares a X.509 certificate with items in a certificate revocation list (CRL).
- Compares a timestamp of the response token signer with the timestamp of an authority name.
The function is important in secure communication to ensure that the certificate has not been revoked. Certificate Authority (CA) organizations revoke certificates for several reasons. If a server’s private keys are stolen due to compromise, a CA will revoke certificates to protect the integrity of communication. Other reasons for revocation include certificate misuse and a new one must be published, the CA is compromised, or the CA created certificates without authorization from the domain owner. In any of these cases, an attacker could masquerade as the targeted domain and trick users into trusting a site, which could then lead to a sophisticated phishing attack and disclosure of sensitive data.
If an attacker can control both parameters passed to the GENERAL_NAME_cmp()
function, a DoS condition will be met if both parameters are of the same type. A Google researcher who found the vulnerability was able to perform a proof-of-concept demonstration by passing the function two parameters of the type EDIPartyName
, defined in OpenSSL code.
The patch for the vulnerability, assigned ID CVE-2020-1971, was released on December 8, 2020. Changes to the open-source code can be found on OpenSSL’s Github repository. You can read more about the vulnerability on OpenSSL’s announcement page.
What Can Happen if OpenSSL is Left Unpatched?
While remote code execution (RCE) is not a concern, unpatched servers could be subject to DoS and potentially a distributed denial-of-service (DDoS) condition where services could be taken offline and unavailable to users. Critical servers that must stay available for business productivity or must be online to meet service level agreements could be a target for attackers. CVE set the risk level to "High," which means that it’s considered a serious vulnerability for organizations. Only vulnerabilities labelled "Critical" are more serious, and these vulnerabilities happen about once every five years.
Mitigation with Extended Support for CentOS 6 and/or KernelCare+
CloudLinux Extended Support for CentOS 6 has this security patch available for its customers. The End-of-Life (EOL) for CentOS 6 was November 2020, but CloudLinux offers extended support until 2024 to keep servers secure from openSSL vulnerability until administrators can upgrade to newer versions of the operating system. To sign up for extended support, fill out this form.
KernelCare also has live patching support for OpenSSL as well as several other shared libraries.
Installing CloudLinux Extended Support for CentOS 6
Installation of CloudLinux Extended Support requires only a few commands.
Download the installer script:
wget https://repo.cloudlinux.com/centos6-els/install-centos6-els-repo.py
Run the installer script (note that you need your license key):
python install-centos6-els-repo.py --license-key XXX-XXXXXXXXXXXX
The above command will install the centos-els-release
package containing the repository PGP key. You can ensure that the installation is complete by running the following command:
rpm -q centos-els-release
Output from the above command should display:
centos-els-release-6-6.10.1.el6.x86_64
Note: The existing Customers still running CentOS as of December 1, 2020 were automatically converted to EOL support.
Installing KernelCare+
KernelCare+ is as easy as installing CloudLinux ES. To install KernelCare+, run one of the following commands:
curl -s -L https://kernelcare.com/installer | bash
Or,
wget -qq -O - https://kernelcare.com/installer | bash
For more information about installing KernelCare+, see the official documentation.
Conclusion
Researchers indicate that this OpenSSL vulnerability is much more difficult to exploit, but this doesn’t mean you should delay patching of your servers. Whether you plan to do that manually, upgrade to the newer version of OpenSSL or opt for live patching by KernelCare+, do that immediately! OpenSSL still remains one of the most software targeted technologies, and DDoS attacks are more frequent than it may seem.
Related read: