Summary
The recent OpenSSL Heartbleed Vulnerability (CVE-2014-0160) has led to questions regarding which Trend Micro products may be affected. This notification identifies the products that are potentially affected by this vulnerability, and the critical patches that fix this.
Details
What is Heartbleed?
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. OpenSSL is an implementation of the SSL/TLS encryption protocol used to protect the privacy of Internet communications. OpenSSL is used by many web sites and other applications such as email, instant messaging, and VPNs.
Heartbleed can allow an attacker to read the memory of the systems using certain versions of OpenSSL, potentially allowing them to access user names, passwords, or even the secret security keys of the server. Obtaining these keys can allow malicious users to observe all communications on that system, allowing further exploitation.
Who is impacted by Heartbleed?
Given that this vulnerability has existed for at least two years, an organization that has deployed servers running OpenSSL versions 1.0.1 through 1.0.1f in that period is likely vulnerable to the Heartbleed Bug and should take immediate steps to remediate.
While there are some initial reports of attacks based on the Heartbleed vulnerability, these are preliminary reports and it should be noted that it is very difficult to determine if this attack has occurred in the past. Accordingly, even if an organization is not currently vulnerable, it may have been in the past and it should therefore take immediate steps to remediate if they have deployed the vulnerable OpenSSL versions.
Which products may be affected?
Trend Micro has identified that the Deep Security Relay (DSR) component (for Microsoft Windows) in Deep Security 8.0 and 9.0 uses a version of the Nginx web server that is affected by this issue (OpenSSL 1.01e).
The Deep Security Manager (DSM), Deep Security Agent (DSA), and Deep Security Virtual Appliance (DSVA) components are unaffected. Also, Deep Security 7.5 is not impacted since it does not have Deep Security Relay.
You may also check the list of other Trend Micro products that may be affected here.
Please visit this site regularly since the list is continuously updated with information and solutions as they become available.
Recommended action
The risk of exploiting this issue on the versions of Deep Security mentioned above from outside a user’s environment is very low since the Deep Security Relay is used for AV pattern distribution only. It does not handle sensitive information and it is usually accessible on an internal customer network only.
Even though the risk is considered very low, Trend Micro has released the following solutions to address this vulnerability:
- For the Deep Security Relay component in Deep Security 8.0:
- Windows 32 bit critical patch Relay-Windows 8.0.0-2207.i386.msi
- Windows 64 bit critical patch Relay-Windows-8.0.0-2207.x86_64.msi
- Critical patch Readme file for DSR 8.0
- For the Deep Security Relay component in Deep Security 9.0:
- Windows 32 bit critical patch Relay-Windows-9.0.0-3335.i386.msi
- Windows 64 bit critical patch Relay-Windows-9.0.0-3335.x86_64.msi
- Critical patch Readme file for DSR 9.0
If you have issues or questions in obtaining the solutions, contact your authorized Trend Micro support representative for further assistance.
