Persistent Heartbleed Vulnerability After OpenSSL Update on Ubuntu 12.04: Diagnosis and Resolution


2 views

Despite updating OpenSSL to version 1.0.1-4ubuntu5.12 and restarting services, your Ubuntu 12.04 server may still be vulnerable due to:

# Check currently loaded OpenSSL version
ldd $(which openssl) | grep libssl

The vulnerability persists because:

  • Old versions may remain cached in memory
  • Multiple OpenSSL installations might exist
  • Services might be linking against wrong library paths

Use these commands to verify the actual running version:

# Check all OpenSSL files on system
sudo find / -name libssl.so.*
# Verify running processes
sudo lsof | grep libssl
# Check Apache's linked version
apache2ctl -V | grep -i openssl

Complete remediation requires:

# Full package reinstallation
sudo apt-get --purge reinstall openssl libssl1.0.0
# Clean up old versions
sudo updatedb && locate libssl | grep -v 1.0.1
# Hard restart all services
sudo service apache2 stop
sudo killall -9 apache2
sudo service apache2 start

Python test script to confirm patching:

import socket
import struct
def check_heartbleed(host, port=443):
    s = socket.socket()
    s.connect((host, port))
    # Build vulnerable heartbeat request
    hb = bytearray([0x18, 0x03, 0x02, 0x00, 0x03, 0x01, 0x40, 0x00])
    s.send(hb)
    try:
        s.recv(1024)
        return "VULNERABLE"
    except:
        return "PATCHED"
print(check_heartbleed("localhost"))
  1. Verify package checksums match Ubuntu security repository
  2. Confirm no processes are using old OpenSSL versions
  3. Test with multiple vulnerability scanners
  4. Check system logs for SSL-related errors

When running dpkg -l | grep openssl on Ubuntu 12.04, you might see version 1.0.1-4ubuntu5.12 which should be patched according to launchpad.net. However, vulnerability scanners like the ones at exploit-db.com and filippo.io still report your server as vulnerable. Here's what's happening under the hood.

Ubuntu's package update mechanism doesn't automatically restart all services using OpenSSL. While you've restarted Apache/Nginx, other services may still have the vulnerable version loaded in memory:


# Check running processes with old OpenSSL
lsof | grep libssl | grep DEL
# Sample output:
# nginx     1234   www-data  mem    REG  254,1  1234567 /lib/x86_64-linux-gnu/libssl.so.1.0.0 (deleted)

Some services statically link against OpenSSL or maintain their own copies. Common offenders include:

  • Postfix (if compiled with built-in TLS)
  • Dovecot
  • Exim
  • Custom-compiled Python/Ruby environments
  1. Force complete OpenSSL reload: 
    sudo lsof | grep libssl | awk '{print $1}' | sort | uniq | xargs -r -n1 sudo service restart
  2. Verify the running version: 
    for pid in $(pgrep -f 'ssl|http'); do 
  sudo grep -a 'OpenSSL' /proc/$pid/maps 2>/dev/null | head -1
done
  3. Recompile statically-linked services: 
    
# For Postfix example:
sudo apt-get install --reinstall postfix

The 1.0.1-4ubuntu5.12 package has known issues with:

  • Incomplete backports from later Ubuntu versions
  • Partial symbol versioning in the shared library
  • Delayed updates in the -security pocket

Force a complete refresh with:

sudo apt-get update && sudo apt-get install --only-upgrade openssl libssl1.0.0

# Completely purge and reinstall
sudo apt-get purge openssl libssl1.0.0
sudo apt-get install openssl libssl1.0.0
sudo reboot

Remember that Ubuntu 12.04 reached EOL in April 2017. Consider upgrading to a supported release for ongoing security updates.