How to Upgrade openssl to OpenSSL 1.0.1h in zimbra 8.0.3

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
revanth1226
Posts: 11
Joined: Sat Sep 13, 2014 3:07 am

How to Upgrade openssl to OpenSSL 1.0.1h in zimbra 8.0.3

Postby revanth1226 » Mon Oct 27, 2014 5:38 pm

Hi,



My server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable , so I am planning upgrade to latest ssl version.


The version is currently running


[zimbra@zim01 ~]$ openssl version
OpenSSL 1.0.1d 5 Feb 2013


And zimbra version is below


[zimbra@zim01 ~]$ zmcontrol -v
Release 8.0.3_GA_5664.RHEL6_64_20130305090204 CentOS6_64 FOSS edition.


I have tried below url to upgrade to OpenSSL 1.0.1h to latest version but while running the script i am getting below error


[root@test tmp]# ./zmopenssl-updater.sh
Downloading patched openssl
Error: Unable to download openssl



Can anyone help me to upgrade openssl .



Regards,


Revanth



User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

How to Upgrade openssl to OpenSSL 1.0.1h in zimbra 8.0.3

Postby pup_seba » Tue Oct 28, 2014 8:18 am

Hi,



Please re-download from here:

wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh



Ensure you change permissions for that file to all users (read and execute), and run again. Execute it as root.



Restart your zimbra server (zmcontrol restart).



That should be it...do this on each server.



Make sure you can resolve the script referenced addresses ( files.zimbra.com/downloads ) and that you have internet connectivity for this matter (iptables and/or external firewalls).
revanth1226
Posts: 11
Joined: Sat Sep 13, 2014 3:07 am

How to Upgrade openssl to OpenSSL 1.0.1h in zimbra 8.0.3

Postby revanth1226 » Tue Oct 28, 2014 9:16 am

Hi,



My zimbra server is running in one server , I have downloaded the script from same place and given the read and execute permission and I have executes as root , while running the script I have received below error



[root@test tmp]# ./zmopenssl-updater.sh

Downloading patched openssl

Error: Unable to download openssl



Server is running with centos6.4 version.



Regards,

Revanth
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

How to Upgrade openssl to OpenSSL 1.0.1h in zimbra 8.0.3

Postby pup_seba » Tue Oct 28, 2014 11:02 am

[tag:if]ould try to add the "-x" option at top of that script like this:

#!/bin/bash -x



to see where is the error happening and if it is loading the proper variables in which case you could change that for your current version.



See? So for instance in my case, I could start changing the script like this:



#!/bin/bash -x



SSL[0]='1.0.1d'

SSL[1]='1.0.1e'

SSL[2]='1.0.1e'

SSL[3]='1.0.1e'

SSL[4]='1.0.1f'

VERSION==8.5.0

MAJOR=8

MINOR=5

PATCH=0



If you see what I'm doing is replacing the variables from the current values in my system. Do that as maybe the error is because the script fails to obtain those variables for some reason.



I don't see any solution to this but for troubleshoot step by step. Always assuming that you can communicate correctly with internet (think of 443 and other possible ports could be use and you could have not open...).



Good luck.
metux
Advanced member
Advanced member
Posts: 146
Joined: Mon Jul 28, 2014 6:21 pm

How to Upgrade openssl to OpenSSL 1.0.1h in zimbra 8.0.3

Postby metux » Tue Oct 28, 2014 3:37 pm

[quote]

Please re-download from here:

wget http://files.zimbra.com/downloads/security/zmopenssl-updater.sh

[/quote]



*FACEPALM*



Yet another ugly script, which just downloads _security-critical_ libraries - ***WITHOUT ANY SECURITY***!



You even call wget with "--no-check-certificate", so you EXPLICITLY SWITCH OFF TRANSPORT SECURITY.

(and the script itself is also fetched via PLAIN http - NO SECURITY AT ALL!)



Are you intentionally fooling us - or just completely incompetent ?!



Folks, this is an absolute catastrophe, not professional at all.



And this is DANGEROUS ! You deliberately allowing your customers machines to be easily compromised.

Are you paid by the NSA for that crap ?



If it would be my company, I would have fired the guys reponsible for that, immediately.





Finally an -serious_ advise for all operators:



DO NOT use that script. Instead fetch recent openssl from upstream (or via trusted distros) and

compile it yourself. You'll find the appropriate build commands in ThirdParty/openssl/Makefile.



(In theory, directly linking/copying in libssl.so* from the distro might also work - but haven't checked yet.)
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

How to Upgrade openssl to OpenSSL 1.0.1h in zimbra 8.0.3

Postby pup_seba » Tue Oct 28, 2014 5:09 pm

Hi,



The patch itself is provided via https and it does even has a MD5 checksum verification. The only thing provided by a non secure channel like http is a .sh (bash script) which is already in a legible format if you want to see what it does and how.



The --no-check-certificate does not "EXPLICITLY SWITCH OFF TRANSPORT SECURITY"...it just allows the communication to proceed even when handshake fails due to an error/mismatch or something wierd about the site and the certificate it presents.



If you go to https://files.zimbra.com/downloads and see what the problem with the certificate is, then you'll see that is a Verisign certificate with a amazon S3 CN. In which case the only problem here would be if you don't trust that site (zimbra site) and in my case I do trust. So I (as a simple user as I don't work for Zimbra) don't think they are trying to fool me in any way.



I'm not a security expert so could you please explain me how this is a security risk? I mean, the encryption of the information during transport is working (--no-check-certificate doesn't turn off encryption), I love the fact that the script is in a bash language (think of all of the not open products with update that you have no idea what or how they are doing things on your system) and I don't really see the big deal here.



I'll appreciate any help because as I said, I'm not a security expert and it would be very helpful for me to understand why you see this as such a critical thing.



In any case and trying to give revanth1226 more help, as I see in the script the error you mention is the response of getting the wrong exit status from this command.



wget --no-check-certificate https://files.zimbra.com/downloads/8.0.${PATCH}_GA/openssl/$PLAT/openssl-${SSL_VERSION}.tgz >/dev/null 2>&1



echo "Downloading patched openssl"

wget --no-check-certificate https://files.zimbra.com/downloads/8.0.${PATCH}_GA/openssl/$PLAT/openssl-${SSL_VERSION}.tgz >/dev/null 2>&1

RC=$?



if [ $RC -ne 0 ]; then

echo "Error: Unable to download openssl"

exit 1

fi



So...I must understand that for some reason you are not being able to download the file. Either you have a network configuration to adjust or there are some parts of the URL that is not well defined. For the last case, you could try to diagnose it with the help of the "-x" option I suggested before. For the network configuration, you could try to download the file from a Web browser on your own pc and then copy it to the server and follow/adapt things from there.
revanth1226
Posts: 11
Joined: Sat Sep 13, 2014 3:07 am

How to Upgrade openssl to OpenSSL 1.0.1h in zimbra 8.0.3

Postby revanth1226 » Tue Oct 28, 2014 6:27 pm

Hi Sebas,



I have done as you said , redownloaded the script and added -x , I got below out put



[root@zim01 tmp]# ./zmopenssl-updater.sh

++ whoami

+ '[' xroot '!=' xroot ']'

+ SSL[0]=1.0.1d

+ SSL[1]=1.0.1e

+ SSL[2]=1.0.1e

+ SSL[3]=1.0.1e

+ SSL[4]=1.0.1f

++ su - zimbra -c 'zmcontrol -v'

+ VERSION='Release 8.0.3_GA_5664.RHEL6_64_20130305090204 CentOS6_64 FOSS edition.'

+ [[ Release 8.0.3_GA_5664.RHEL6_64_20130305090204 CentOS6_64 FOSS edition. == *ZCA* ]]

++ cut '-d ' -f2

++ echo Release 8.0.3_GA_5664.RHEL6_64_20130305090204 CentOS6_64 FOSS edition.

+ VERSION=8.0.3_GA_5664.RHEL6_64_20130305090204

++ echo 8.0.3_GA_5664.RHEL6_64_20130305090204

++ sed 's/_.*//'

+ VERSION=8.0.3

++ echo 8.0.3

++ cut -d. -f1

+ MAJOR=8

++ echo 8.0.3

++ cut -d. -f2

+ MINOR=0

++ echo 8.0.3

++ cut -d. -f3

+ PATCH=3

+ '[' 8 -ne 8 ']'

+ '[' 0 -ne 0 ']'

+ '[' 3 -lt 3 ']'

++ expr 3 - 3

+ ARPATCH=0

+ SSL_VERSION=1.0.1d

+ '[' '!' -d /opt/zimbra/openssl-1.0.1d ']'

++ which egrep

+ EGREP=/bin/egrep

+ '[' x/bin/egrep = x ']'

+ /bin/egrep 'OpenSSL 1.0.1h' /opt/zimbra/openssl-1.0.1d/lib/libssl.so.1.0.0

+ RC=1

+ '[' 1 -eq 0 ']'

++ /bin/sh /opt/zimbra/libexec/get_plat_tag.sh

+ PLAT=CentOS6_64

+ cd /tmp

+ '[' -d openssl/CentOS6_64 ']'

+ rm -rf openssl/CentOS6_64

+ mkdir -p openssl/CentOS6_64

+ cd openssl/CentOS6_64

++ which wget

+ WGET=/usr/bin/wget

+ '[' x/usr/bin/wget = x ']'

++ which md5sum

+ MD5SUM=/usr/bin/md5sum

+ '[' x/usr/bin/md5sum = x ']'

+ echo 'Downloading patched openssl'

Downloading patched openssl

+ wget --no-check-certificate https://files.zimbra.com/downloads/8.0.3_GA/openssl/CentOS6_64/openssl-1.0.1d.tgz

+ RC=8

+ '[' 8 -ne 0 ']'

+ echo 'Error: Unable to download openssl'

Error: Unable to download openssl

+ exit 1
metux
Advanced member
Advanced member
Posts: 146
Joined: Mon Jul 28, 2014 6:21 pm

How to Upgrade openssl to OpenSSL 1.0.1h in zimbra 8.0.3

Postby metux » Tue Oct 28, 2014 6:59 pm

[quote]

The --no-check-certificate does not "EXPLICITLY SWITCH OFF TRANSPORT SECURITY"...it just allows the communication to proceed even when handshake fails

[/quote]



Which _EXACTLY_ means NO SECURITY - at this point anybody in the middle can send his own cert and so has taken over the encrypted channel.



[quote]

it does even has a MD5 checksum verification

[/quote]



This doesn't add any security whatsoever, just protects against accidental file transfer errors.



[quote]

due to an error/mismatch or something wierd about the site and the certificate it presents.

[/quote]



It's a server misconfiguration - get yourself an competent operator.

Your current one obviously is overburdened with that job.



[quote]

I'm not a security expert so could you please explain me how this is a security risk?

[/quote]



Pretty trivial:



The session key handshake is encrypted with the server's pubkey/privkey (which is found in the cert).

As the server's pubkey usually isn't known at client side, it's signed by an CA (the signature is also in the cert).



If the cert cannot be verified, anybody in the middle can replace it with it's own one and so pretend being

the real server and serve anything it likes. In your case, that fake server would send a patched libssl.so binary

which contains certain backdoors to compromise the target machine.



Voila! dozens of Zimbra instances, running in hi profile large organisations easily taken over and having

full access to their mail traffic.



[quote]

I'll appreciate any help because as I said, I'm not a security expert and it would be very helpful for me to understand why you see this as such a critical thing.

[/quote]



Oh, that's really new for your company - your devs usually reject all contributions and just spend their time

with giving silly excuses for doing dumb things. One of the dumb things is bundling an own openssl instance

in the first place - just use the one already provided by the distros, they'll cope with security issues, and they're

pretty fast with that. But your devs answer such advices with silly rants against the distros.



[quote]

In any case and trying to give revanth1226 more help, as I see in the script the error you mention is the response of getting the wrong exit status from this command.

[/quote]



Maybe the version parsing fails somewhere, or some file's missing on the server.

Redirecting all wget output to /dev/null is really counter-productive here.



@revanth1226: can you post your `zmcontrol -v` output ?



The whole script looks like it's written by an 1st-grader (at least my code looked like this back when I was in that age).

Hard to read, inrobust, no diagnosis, ... would be okay for an hobbyist who's just doing his first programming experiments,

but not acceptable from some payed sw-developer.



Actually, the whole approach of replacing single files by such scripts is a totally dumb idea in the first place.

The correct way is to just to do a fresh rebuild and publish the new packages in a proper (signed!) repo.



I tried discussing that with your devs, but turned out as a waste of my precious time.
revanth1226
Posts: 11
Joined: Sat Sep 13, 2014 3:07 am

How to Upgrade openssl to OpenSSL 1.0.1h in zimbra 8.0.3

Postby revanth1226 » Tue Oct 28, 2014 7:15 pm

Hi,



zmcontrol -v

Release 8.0.3_GA_5664.RHEL6_64_20130305090204 CentOS6_64 FOSS edition.



Is there any way manually upgrade openssl , since script is not working for me.



Below steps are any helpful without effecting zimbra services.



update system to latest openssl with yum update openssl

cd /opt/zimbra/openssl/lib

unlink libssl.so

mv libssl.so.1.0.0 orig.libssl.so.1.0.0

ln -sf /usr/lib64/libssl.so.1.0.1e ./libssl.so.1.0.0

ln -sf /usr/lib64/libssl.so.1.0.1e ./libssl.so

service zimbra restart





Waiting for valuable suggestion.



Regards,

Revanth.
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

How to Upgrade openssl to OpenSSL 1.0.1h in zimbra 8.0.3

Postby pup_seba » Wed Oct 29, 2014 3:40 am

Hi,



An easy way to workaround this (please try it first in a lab enviroment) is to manually change the $PLAT variable to RHEL6_64. Just find this line in the script:



PLAT=`/bin/sh /opt/zimbra/libexec/get_plat_tag.sh`



and change it to:



PLAT=RHEL6_64



Please, try this in a lab enviroment. For some reason the URL with the CentOS in it is not working (just test it using a regular web browser). Maybe someone at Zimbra could have a look into that...I'm guessing that all the people with that distro/version combination should be getting this error.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 20 guests