Don’t let DROWN get you down

March 1, 2016 by Bill Nottingham

drown-blogpost.jpg

If you’re maintaining services on the internet, you know about the importance of keeping up to date with security patches as they come available. Today is no exception with the release of  CVE-2016-0800, describing the ‘DROWN’ vulnerability in OpenSSL.

The key points of DROWN are that it can allow for passive decryption of encrypted traffic, via vulnerabilities in the obsolete SSLv2 protocol. Merely using SSLv2 for one service could cause the compromise the traffic of other services, even if they aren’t using SSLv2. More information can be found at http://www.drownattack.com/.

The Red Hat specific announcement can be found in the  Red Hat Knowledgebase.

Obviously, this is a big deal, but patching your systems for DROWN doesn’t have to be a big deal, thanks to Ansible.

Here’s a sample playbook for Red Hat/Fedora/CentOS and Debian/Ubuntu systems (link to source):

- hosts: all
  gather_facts: true
  sudo: true
  tasks:
	- name: update openssl from apt if available
  	  apt: name=openssl state=latest update_cache=yes
  	  when: ansible_os_family == 'Debian'
  	  notify: restart_system
  
	- name: update openssl from yum if available
  	  yum: name=openssl state=latest update_cache=yes
  	  when: ansible_os_family == 'RedHat'
  	  notify: restart_system

  handlers:
 	- name: restart_system
   	  shell: sleep 2 && shutdown -r now "Ansible updates triggered"
   	  async: 1
   	  poll: 0
   	  ignore_errors: true

 

As the DROWN vulnerability is not patched until all affected services are restarted with the updated OpenSSL package, we have a `restart_system` handler that reboots the system. You can restart individual services if you know more of your OpenSSL usage.

Note that this version merely installs the latest version of OpenSSL from your vendor. If you know the versions that are vulnerable for your OS or the versions where the fix has been applied, you can create a playbook that tests to make sure you have a correct version. Here’s an example for Red Hat Enterprise Linux systems. (Note: if you’re on a particular EUS or ELS subscription, you may need to adjust the version check. Check the Red Hat Knowledgebase for details.)  (link to source)::

 

- hosts: all
  gather_facts: true
  sudo: true
  vars:
    vulnerable_releases:
	'5': '0.9.8e-37.el5_11'
	'6': '1.0.1e-42.el6_7.2'
	'7': '1.0.1e-51.el7_2.2'

  tasks:
	- name: check for openssl version
  	  shell: rpm -q --qf "%{VERSION}-%{RELEASE}" openssl-libs.{{ansible_architecture}}
  	  register: openssl_version
 	 
	- name: check for vulnerable versions
  	  debug: msg="OpenSSL version  is vulnerable."
  	  when: openssl_version.stdout|version_compare(vulnerable_releases[ansible_distribution_major_version], '<=')
  	  register: is_vuln
    
	- name: update openssl from yum if vulnerable
  	  yum: name=openssl-libs state=latest update_cache=yes
  	  when: not is_vuln|skipped
  	  notify: restart_system
  	  register: installed
    
	- name: check for openssl version
  	  shell: rpm -q --qf "%{VERSION}-%{RELEASE}" openssl-libs.{{ansible_architecture}}
  	  register: openssl_version
  	  when: not is_vuln|skipped
 	 
	- name: check that we are no longer vulnerable
  	  debug: msg="OpenSSL version  is still vulnerable!"
  	  when: not is_vuln|skipped
  	  failed_when: openssl_version.stdout|version_compare(vulnerable_releases[ansible_distribution_major_version], '<=')
 	 
  handlers:
 	- name: restart_system
   	  shell: sleep 2 && shutdown -r now "Ansible updates triggered"
   	  async: 1
   	  poll: 0
   	  ignore_errors: true

 

Note that if you have a Red Hat Satellite server in your environment, you’ll need to ensure that your nightly package sync has run and has the latest openssl packages.

Want to remediate DROWN, but haven’t used Ansible before?
Getting started is easy
Share:

Topics:
Ansible


 

Bill Nottingham

Bill Nottingham is the Director of Product at Ansible. He came to Ansible from Red Hat, where he spent 15+ years building and architecting Red Hat’s Linux products. His days are spent chatting with users and customers about Ansible and Tower. He can be found on twitter at @bill_nottingham, and occasionally doing a very poor impersonation of a soccer player.


rss-icon  RSS Feed

Ansible Tower by Red Hat
Ansible In-Depth Whitepaper
Ansible Tower by Red Hat
Learn About Ansible Tower