Security Alert: OpenSSL Heartbleed issue
Wommelgem 10th of April 2014 | Like you have already heard there is a serious vulnerability in the OpenSSL Stack which affects multiple products. As a follow-up on the technical alert that you received yesterday, please find hereby updated information.We have put together an excel sheet with all the solutions that are part of our portfolio, informing you whether the solution is vulnerable or not. If so, check which versions are vulnerable and which action needs to be taken.
Wommelgem 9th of April 2014 | The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeart Extension packets, which allows remote attackers to obtain sensitive information (such as private keys, username and passwords, or contents of encrypted traffic) from process memory via crafted packets that trigger a buffer over-read. This issue is also known as The Heartbleed Bug. Status of different OpenSSL versions:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
We strongly recommend to upgrade the SA and MAG appliances as soon as possible. Juniper has released versions 8.0R3.1 and 7.4R9.1 which can be downloaded from the Juniper Networks site or via the SecureLink download site. The official Juniper Networks statement can be found here : http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10623&actp=SUBSCRIPTION http://kb.juniper.net/kb29004
- F5 hardware appliances are only vulnerable in the latest version and only under specific, non-default, uncommon circumstances.
- F5 virtual editions v11.5 are vulnerable!
- If you’re on v11.5.x, you will need to read on in detail as you’re susceptible, to some extent, to the effects of the heartbleed bug.
- If you’re on any other version, you’re in the clear for what the F5 itself is concerned.
- You may still have the need to protect backend-servers that you cannot upgrade or hotfix at the moment for whatever reason.
The official F5Networks statement can be found here : http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html
Palo Alto Networks
Palo Alto firewalls are not vulnerable as they use an older branch of OpenSSL (0.9.8).
No official information yet, however we are quite certain that specific versions are vulnerable. As soon as we receive more information we will update you.
SecureLink remarks This is a serious bug as it is possible to gain access to usernames, passwords and even private keys via SSL access. Especially for devices that are reachable over the internet via SSL special care has to be taken, especially remote access solutions or public reachable servers. The advice of SecureLink is in order :
- The recommendation for system admins is :
- Patch or upgrade vulnerable systems to a version which is not affected by this bug
- If upgrading or patching is not possible you can front-end the solution with for example a F5 Networks reverse proxy
- If vulnerable systems have been exposed on the Internet we advice to change the certificates as private keys may have been compromised
The recommendation for users is :
- Change your passwords
This security alert is only about external devices, please note that also a number of internal devices use SSL. In the coming days we will regularly update you about other devices. Customers that have additional questions regarding this bug, feel free to contact SecureLink. [email protected]