1

The goal of this, is to run this across many machines with ansible or fabric to find out which of your machines are vulnerable to the heartbleed. Heartbleed has been out for a while, this will search the version installed on Ubuntu 12.04 LTS.

For Ubuntu users, the correct, patched version is also release-dependent. Use this list to see the minimum secure version for your release:

Ubuntu 10.04: Unaffected (Shipped with older version prior to vulnerability)
Ubuntu 12.04: 1.0.1-4ubuntu5.12
Ubuntu 12.10: 1.0.1c-3ubuntu2.7
Ubuntu 13.04: SUPPORT END OF LIFE REACHED, SHOULD UPGRADE
Ubuntu 13.10: 1.0.1e-3ubuntu1.2

I have been tinkering with this for a while, and I do not know why this will not match beyond the hyphen:

dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9].[1-2]*)\b'

Will match 

Version: 1.0.1-

Instead of

Version: 1.0.1-4ubuntu5.16

I have tried:

dpkg -s openssl | grep -Ei '\b(Version: (0|1)\.0\.(0|1)[a-c]\-(ubuntu)*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (0|1)\.0\.(0|1)[a-f]\-(ubuntu)*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (0|1)\.[0-9]\.(0|1)[c-z]?\-(ubuntu)[5-9]*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]-- -[4-9]ubuntu*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]---[4-9]ubuntu*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]--[4-9]*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]--[4-9]ubuntu*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]--[4-9]ubuntu*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]--[4-9]ubuntu*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]-[4-9]ubuntu*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9].([4-9]ubuntu))\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9].([4-9]ubuntu*))\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9].[4-9]*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9].[4-9]ubuntu)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9][c-z]?--[4-9](ubuntu)*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9][c-z]?--[4-9]ubuntu*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9][c-z]?--[4-9]ubuntu*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9][c-z]?\-[4-9](ubuntu)*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]\- --[4-9]*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]\-([4-9]ubuntu*))\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]\-*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]\-*[4-9])\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]\-*[4-9]*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]\---[4-9]*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]\---[4-9]ubuntu*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]\--[4-9]*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]\--[4-9]ubuntu*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]\--\-[4-9]ubuntu*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]\-.[4-9]*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]\-[4-9]*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]\-[4-9]*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]\-[4-9]*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]\-[4-9]*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]\-[4-9]ubuntu*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]\-[4-9]ubuntu*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]\-[4-9]ubuntu*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]\-\.[4-9]*)\b'
dpkg -s openssl | grep -Ei '\b(Version: (1)\.[0-9]\.[1-9]\-\[4-9]*)\b'

I am probably doing something very obviously wrong, please help.

My logic is:

  1. Check if machine has minimum safe version or higher? If machine
  2. Does have safe version or higher, everything is OK, do nothing.
  3. If machine does not have safe version or higher, do another regex search if machine matches lower unsafe version.
  4. If machine matches older/unsafe version, do something.
Egidijus
  • 155
  • 3
  • 9

3 Answers3

1

According to CVE-2014-0160, the following versions are affected:

  • 1.0.1-beta1
  • 1.0.1-beta2
  • 1.0.1-beta3
  • 1.0.1
  • 1.0.1a
  • 1.0.1b
  • 1.0.1c
  • 1.0.1d
  • 1.0.1e
  • 1.0.1f
  • 1.0.2-beta1

So the easiest would be to just look for these version numbers:

^Version:\s+1\.0\.(1([abcdef]|\.beta[123])?|2\.beta1))(-|$)

I’m not sure of the numbering syntax for beta versions, you may need to adjust it.

Gumbo
  • 643,351
  • 109
  • 780
  • 844
0

You could try the below grep command to grep the line which starts with Version:,

dpkg -s openssl | grep -Ei '\bVersion:.*$'

OR

dpkg -s openssl | grep -oP '\bVersion: 1\.[0-9]\.[0-9](?:[a-z])?-[0-9]ubuntu[0-9]+(?:\.[0-9]+)?\b'

Example:

$ dpkg -s openssl | grep -Ei '\bVersion:.*$'
Version: 1.0.1f-1ubuntu2
$ dpkg -s openssl | grep -Ei '^Version:.*$'
Version: 1.0.1f-1ubuntu2
Avinash Raj
  • 172,303
  • 28
  • 230
  • 274
  • That is on the correct path. I have changed your grep to this: `dpkg -s openssl | grep -oP '\bVersion: 1\.[0-9]\.[0-9](?:[c-z])?-[4-9]ubuntu[5-9]+(?:\.[1-9]+)?\b'` This should match a minimum version of `Version: 1.0.1-4ubuntu5*` – Egidijus Jul 20 '14 at 13:38
0

I tried:

dpkg -s openssl | grep -Ei '\b(Version: (1)\W+)\b'

and it works for me

Matheus.M.
  • 67
  • 1
  • 7