What is the CCS Injection Vulnerability?
The CCS Injection Vulnerability (CVE-2014-0224) is a serious vulnerability in the popular OpenSSL cryptographic software library. OpenSSL is an implementation of the SSL/TLS encryption protocol used to protect the privacy of Internet communication. OpenSSL is used by many websites and other applications such as email, instant messaging, and VPNs.
In certain versions of OpenSSL, an attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.
Who is impacted by the CCS Injection Vulnerability?
Recent reports indicate that this vulnerability has existed for at least ten (10) years but was only just discovered, and due to the number of organizations that have deployed servers running OpenSSL, companies who were concerned or affected by the recent Heartbleed bug may also want to take serious note of this vulnerability.
OpenSSL versions said to be affected include:
- versions before 0.9.8za
- 1.0.0 before 1.0.0m
- 1.0.1 before 1.0.1h
Preliminary reports have noted that it is very difficult, if not impossible, to determine if an attack has occurred in the past because it leaves virtually no trace. Accordingly, even if an organization is not currently vulnerable, it may have been in the past and it should therefore take immediate steps to remediate if they have deployed the vulnerable OpenSSL versions.
Since some Trend Micro products may be using the affected OpenSSL version, these products may be affected by this vulnerability. This article contains the list of products that are affected and the recommended action to take to eliminate the risks as they are identified and corrected.
For your external references:
What Trend Micro products are not affected?
|Advanced Reporting and Management for InterScan Web Security (ARM)||1.5||No||0.9.8b|
|Advanced Reporting and Management for InterScan Web Security (ARM)||1.6||No||1.0.0b|
|Control Manager (TMCM)||5.5, 6.0, 6.0 SP1||No||0.9.6m, 1.0.1g|
|Core Protection Module (CPM) - ESP||10.5, 10.6, 10.6 SP1, 10.6 SP2||No||Not using OpenSSL|
|Core Protection Module (CPM) for Mac||1.1||No||Not using OpenSSL|
|Cisco Content Security and Control Security Services Module (Stargate)||6.6||No||Not using OpenSSL|
|Damage Cleanup Services (DCS)||3.2||No||Not using OpenSSL|
|Deep Discovery Email Inspector (DDEI)||2.0 SP1||No||v1.0.1h|
|Deep Discovery Inspector (DDI)||3.0, 3.1||No||1.0.0d|
|3.2, 3.5, 3.6||No||1.0.0j|
|Deep Security for Web Apps||2.0||No||Not using OpenSSL|
|DirectPass||1.8||No||Not using OpenSSL|
|Data Loss Prevention (DLP) Endpoint||5.0J, 5.2J, 5.5, 5.6||No||0.9.7a, 1.0.0c|
|Email Security Platform for Service Providers - White Label||3.0||No||0.9.8e-fips-rhel5|
|Email Security Platform for Service Providers - White Label (EMSP-SP - NTT-C)||3.2||No||0.9.8e|
|InterScan Messaging Security Suite (IMSS)||7.0 Linux||No||0.9.8j|
|InterScan VirusWall (ISVW)||6.02 Linux, 7.0 Win||No||0.9.8|
|InterScan Web Security Suite (IWSS)||3.1 Sol JP, Linux EN/JP, Win EN/JP||No||0.9.7d|
|5.6 Linux JP||No||1.0.0b|
|InterScan Web Security Virtual Appliance (IWSVA)||5.5 EN||No||0.9.8a|
|6.0 SP1 EN||No||1.0.0j|
|Mobile Security (TMMS)||1.2, 2.0, 2.1, 2.2, 2.5, 2.6, 3.0, 3.1, 3.5, 5.0||No||Not using OpenSSL|
|OfficeScan (OSCE)||10.5, 10.6, 10.6 SP1, 10.6 SP2, 10.6 SP3, 11.0||No||0.9.6l|
|Portable Security (TMPS)||2.0||No||1.0.1g|
|1.0, 1.1, 1.5||No||Not using OpenSSL|
|Safe Lock (TMSL)||1.0?, 1.1||No||Not using OpenSSL|
|SafeSync||5.0||No||Not using OpenSSL|
|SafeSync for Business||5.1||No||1.0.1-4ubuntu5.14|
|Smart Protection Server (TMSPS)||2.0, 2.5, 2.6||No||0.9.8q|
|Smart Surfing for MAC||1.6||No||Not using OpenSSL|
|ScanMail for Microsoft Exchange (SMEX)||10.2, 10.2 SP2, 11.0||No||1.0.0a|
|ScanMail for Lotus Domino (SMLD)||3.0, 3.1, 5.0, 5.5||No||Not using OpenSSL|
|Security for NAS (TMNAS)||1.0, 1.1||No||1.0.0|
|ServerProtect for Windows (SPNT)||5.7, 5.8||No||Not using OpenSSL|
|Threat Discovery Appliance (TDA)||2.55||No||0.9.8|
|Threat Mitigator (TMTM)||2.58||No||1.0.0L|
|TMEE Data Armor||3.0?, 5.0||No||Not using OpenSSL|
|TMEE Drive Armor||3.0?, 5.0||No||Not using OpenSSL|
|TMEE File Armor||3.0?, 5.0||No||Not using OpenSSL|
|TMEE Key Armor||3.0?, 5.0||No||Not using OpenSSL|
|TMEE Policy Server||3.1?, 5.0||No||Not using OpenSSL|
|Trend Micro Online Guardian (TMOG)||1.0, 1.5, 1.6, 1.8||No||Not using OpenSSL|
|Trend Micro Security for Macintosh (TMSM)||2.0, 2.0 SP1, 2.1||No||1.0.1e|
|USB Security (TMUSB)||1.1, 1.3, 2.0||No||Not using OpenSSL|
|Worry-Free Business Security (WFBS)||7.0||No||0.9.8i|
|Worry-Free Business Security Services (WFBS-SVC)||5.3 SP1||No||1.0.1e|
|Worry-Free Remote Manager (WFRM)||2.5, 2.6, 3.0, 3.1||No||1.0.0|
What if my product is not listed?
If the product has not reached End-of-Support, it is most likely that Trend Micro is still analyzing the vulnerability and its impact on your product. As soon as the analysis is completed, the product will be added in the list.
What if I have additional questions?
For additional inquiries, contact Technical Support.