Summary
Learn how SSFE is affected by the OpenSSL vulnerability and the possible resolution to address the issue.
Details
A vulnerability involving the Heartbleed extension of OpenSSL has been released. This vulnerability, dubbed as the Heartbleed Bug, exists on all OpenSSL implementations that use the Heartbeat extension. When exploited on a vulnerable server, it enables an attacker to read a portion—up to 64 KB’s worth—of the computer’s memory at a time, without leaving any traces.
To know more about the OpenSSL vulnerability, refer to the Trend Micro article: Skipping a Heartbeat: The Analysis of the Heartbleed OpenSSL Vulnerability.
Who are affected?
1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.
SSFE PDG has confirmed that only the SSFE Windows client is affected by this vulnerability and was assigned a “LOW” risk level. The following statements explain this finding.
- The SSFE server has two external listening ports: Port 443 (User Portal) and Port 3443 (Management Console). Both components are handled by Perlbal and the integrated OpenSSL library does not have CVE-2014-0160 HeartBleed vulnerability.
- The SSFE Windows client uses OpenSSL 1.0.1e to communicate with the server, but the SSFE Windows application is a passive client program and does not build up any HTTPS service to receive requests. So it is marked as a "LOW" risk vulnerability.
- The SSFE Android app uses OpenSSL 1.0.1e but only to encrypt files. It is not used for any connection or communication process.
Fix Availability
SSFE 2.1 Critical Patch Build 1331 is now available in Download Center. This updates OpenSSL to version 1.0.1g to resolve the vulnerability CVE-2014-0160 in Windows agents. Refer to the ReadMe file for the installation procedure and pre-requisites.
A new SSFE Android app build 1101 has been published in Google Play that also upgrades the OpenSSL version to 1.0.1g.