<The CFEngine Blog

Fixing Heartbleed with CFEngine 3.5.x and above

Posted by Mahesh Kumar
April 11, 2014

A couple of days ago we informed you of the status of the CFEngine products and services with respect to Heartbleed. Today we would like to share with you some instructions and policies that you can use to check your systems for vulnerable versions of OpenSSL, and if needed upgrade it to its latest version. If you already have CFEngine deployed, adding this policy and deploying it to your systems takes only a few minutes, after which CFEngine will take care of performing the necessary checks and updates on your systems, whether you have a few or tens of thousands. If you are not using CFEngine yet, you can still use these policies to check it out, and run the fix by hand on your systems. These policies work for Ubuntu and RedHat-based systems (including CentOS). See below for some hints about how to customize it for other operating systems.

  1. Make sure you have CFEngine installed and running on the systems where you want to run the fix. This policy has been tested with CFEngine 3.5.3, our latest stable release.

  2. Download and unpack the files. You should get two files: fix_heartbleed.cf and fix_heartbleed_standalone.cf. The first file contains the code that performs the checks and fixes, and the second one is a standalone policy file that loads and executes the first, and which you can run from the command line if you don’t want to integrate the checks into your regular policy run.

  3. Review fix_heartbleed.cf. The file works out of the box on Ubuntu 10.04/12.04/13.10 and RedHat/CentOS 6.4, but you should review it anyway. In particular, you need to update the list of services you want to restart after updating OpenSSL. By default only Apache is restarted if it was running already.

  4. If you want to run the policy by hand, either for testing before you deploy it, or for running only once on a system, run the following command:

    cf-agent -f ./fix_heartbleed_standalone.cf -Dverbose

    The -Dverboseoption makes the policy print some messages to let you know what is happening. For example, on an Ubuntu 12.04 installation in which Apache was running, you should see something like this:

          notice: R: Found OpenSSL 1.0.1-4ubuntu5.5: VULNERABLE TO HEARTBLEED        notice: R: Updated package 'openssl' to latest version        notice: R: Updated package 'libssl1.0.0' to latest version

    Please note that this policy will only update OpenSSL if it detects a vulnerable version. If you have an older version of OpenSSL (e.g. 0.9.8k which comes with Ubuntu 10.04), it will be detected as not vulnerable and no update will be done.

  5. If you want to deploy the policy to your entire CFEngine infrastructure, you need to integrate it into your promises.cf file. On your CFEngine policy server, follow these steps:

    1. Copy fix_heartbleed.cf to /var/cfengine/masterfiles/ (you do not need the standalone file in this case).

    2. In your promises.cf file, add the following lines to the bundlesequence and inputs attributes in body common control:

                bundlesequence => {            ...            "fix_heartbleed",            };              inputs => {            ...            "fix_heartbleed.cf",            };

    3. Validate the syntax of your promises.cf file using the cf-promises command:

      cf-promises -f /var/cfengine/masterfiles/promises.cf

      Fix any errors shown.

    4. The updated files will be distributed to your existing clients. After a few minutes, you will see the policy files being distributed and any vulnerable clients will start to be fixed.

Please note: this policy only helps with upgrading OpenSSL to a non-vulnerable version. To fully recover from the potential effects of the bug, you may need to take additional measures depending on your setup and systems, such as regenerating SSL certificates and keys, and changing (or asking your users to change) relevant passwords. For more information please visit http://heartbleed.com/. If you want to customize this policy for other operating systems, you can follow the same patterns already in the policy. Look for the OS-specific sections by searching for ubuntu and redhat in the policy code, and adding similar constructs with the corresponding information for the new operating systems. We hope you find these instructions useful, both as a guide to fixing Heartbleed and as an example of how you can use the power of CFEngine to maintain your infrastructure. Once you perform the steps above, your entire infrastructure will be updated! Whether you have 5 or 50,000 machines under CFEngine control, all of them will be updated accordingly. We will continue to monitor any developments around Heartbleed or any other security issues and continue to provide you with appropriate information, instructions or guidance. In the meantime, if you have any questions or feedback, please email us at security@cfengine.com.

heartbleed_fix.tar (16.5 KiB)

Try CFEngine Enterprise for free

Sign up for CFEngine Enterprise and connect up to 25 hosts for free. No credit card required. Get started in minutes.

Try enterprise for free