Mac OS X and the OpenSSL Heartbleed vulnerability

Last update:

The OpenSSL Heartbleed vulnerability

A serious vulnerability has been discovered in OpenSSL: Heartbleed, named in reference to the TLS heartbeat extension’s leaking of memory contents. Affected are all OpenSSL installations in versions 1.0.1 through 1.0.1f (inclusive). The bug has been fixed in 1.0.1g.

Here’s a summary of the vulnerability:

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

It is advised to update the OpenSSL version on both server and client as soon as possible.

Updating the OpenSSL libs on Mac OS X

I can confirm that the default system installation of OpenSSL is outdated on OSX Mavericks (10.9.2) and therefore safe against Heartbleed:

$ openssl version -a
OpenSSL 0.9.8y 5 Feb 2013
built on: Aug 24 2013
platform: darwin64-x86_64-llvm
options:  bn(64,64) md2(int) rc4(ptr,char) des(idx,cisc,16,int)
blowfish(ptr2)
compiler: -arch x86_64 -fmessage-length=0 -pipe -Wno-trigraphs
-fpascal-strings -fasm-blocks -O3 -D_REENTRANT -DDSO_DLFCN
-DHAVE_DLFCN_H -DL_ENDIAN -DMD32_REG_T=int -DOPENSSL_NO_IDEA
-DOPENSSL_PIC -DOPENSSL_THREADS -DZLIB -mmacosx-version-min=10.6
OPENSSLDIR: "/System/Library/OpenSSL"

$ which openssl
/usr/bin/openssl

Additional OpenSSL installations might have come in through secondary package managers, such as Homebrew and MacPorts. I had vulnerable versions installed via Homebrew:

$ ls /usr/local/Cellar/openssl/
1.0.1e
1.0.1f

Both versions are vulnerable.

Homebrew provides its own OpenSSL package so that applications that need a newer version can link against that one instead of an outdated system version. But it won’t link the newer version into /usr/local to avoid overriding the default system installation and break important non-Homebrew applications. In Homebrew parlance that’s called a keg-only brew.

Here’s how to update the Homebrew installation of OpenSSL and remove the vulnerable versions:

# Make sure you got the latest formulas
$ brew update

# Upgrade to latest version of openssl
# should be >= 1.0.1g
$ brew upgrade openssl

# Remove previous versions
# (--force to remove keg-only brews as well)
$ brew cleanup --force openssl

# Verify that only the safe version remains
$ ls /usr/local/Cellar/openssl/
1.0.1g

(Thanks to @ReinaldoJunior for these cleaner commands)

For MacPorts the following command updates to a fixed version of OpenSSL. Beware that this command will try to update all your packages, which might not be what you want. I cannot help further since I don’t use MacPorts myself.

$ sudo port upgrade outdated

Restart vulnerable applications

Don’t forget to restart daemons and long-running applications that use OpenSSL so they pick up the new version of the libs. Alternatively you could also reboot the machine. Here’s how you can check which currently running apps link against the OpenSSL libs:

$ sudo lsof -n | grep -i ssl

I’m assuming that applications statically linked against a vulnerable version of the OpenSSL libs are vulnerable as well and must be recompiled. Unfortunately I don’t know of an easy way to identify these apps. Look through /usr/local/Cellar and recompile the apps you think might statically link against OpenSSL.


See all posts in the archive.

Comments

Comments were disabled in March 2022. Since this page was created earlier, there may have been previous comments which are now inaccessible. Sorry.