GnuTLS Bug Part 3: You Always Need to Patch New Cloud Servers

Or at least you have no way of really knowing that you don’t need a patch until you check this particular server very carefully.

Last week and the week before I warned you about the GnuTLS bug. By now you must have all your in-house systems patched, right? Right?

Amazon Web Service’s EC2 provides you with a vast array of public server instances. Almost 25,000 separate ones in AWS’s most popular (and most populated) US-East region. In Learning Tree’s Cloud Security Essentials course we do two exercises to assess the security — both patch level and configuration — of AMIs (or Amazon Machine Images) we are considered deploying.

The advice I give my clients is first to stick to a trusted source. An AMI that I have stored, one provided by a trusted third party, or one owned by Amazon itself. Second, choose from that set an image that you know is in pretty good shape to start with. So, Amazon-owned AMIs of Amazon Linux aren’t going to offer perfect security, but they’re very good starting points.

Very good starting points, but not perfect. Unless it was created after early March of 2014, it is going to be susceptible to the GnuTLS bug unless it doesn’t have that shared library installed at all.

So, patch those newly deployed cloud servers!

Here’s how to verify that you need a patch, and then how to apply it. Amazon Linux uses the RPM/Yum package management system, but Ubuntu-derived ones use dpkg/apt-get. I’ll show the RPM syntax first, and if it doesn’t work, try the Ubuntu version shown later.

What version of GnuTLS do I have? I need to answer this without being exactly certain of the spelling or capitalization of the package name:

rpm:$ rpm -qa | grep -i gnutls

ubuntu:$ dpkg -l | grep -i gnutls

Update all installed packages with available upgrades. This will, of course, include GnuTLS if there is an upgrade available. It doesn’t really make sense to patch just some of your problems, go ahead and fix all of them at once. You will, of course, need to do this as root:

rpm:# yum upgrade

ubuntu:$ sudo 'apt-get update ; apt-get upgrade'

Doing this does not necessarily make you safe! You might be running on an older distribution for which patches are no longer maintained. After you think you’re patched, check it again.

Once you start with a good template, like a recent Amazon Linux AMI, and you apply all the needed patches, and you make all of the configuration changes you need to reach your baseline security profile, it only makes sense to store that system. It costs just US$ 0.10 per month to store an AMI snapshot. Then you have it handy to run “off the shelf”.

Just make sure to carefully record what you did — starting AMI, patches, configuration changes — in your configuration management. A system that seems safe today may have a bunch of holes discovered tomorrow.

Bob Cromwell

Type to search

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.