NCSC-FI Advisory on OpenSSL

A vulnerability has been found in the heartbeat protocol implementation of TLS (Transport Layer Security) and DTLS (Datagram TLS) of OpenSSL.

Details

OpenSSL replies a requested amount upto 64kB of random memory content as a reply to a heartbeat request. Sensitive data such as message contents, user credentials, session keys and server private keys have been observed within the reply contents. More memory contents can be acquired by sending more requests. The attacks have not been observed to leave traces in application logs.

Vulnerability Coordination Information and Acknowledgements

The vulnerability was first reported to OpenSSL by Neel Mehta from Google Security. Matti Kamunen, Antti Karjalainen and Riku Hietamäki from Codenomicon Oy reported the vulnerability to NCSC-FI, who reported it in turn to OpenSSL. NCSC-FI would like to thank Codenomicon for reporting and analysing the vulnerability.

  • Servers and server applications
  • Workstations and end-user applications
  • Network devices
  • Mobile communications systems
  • Embedded systems
  • Others

Target

  • Servers and server applications
  • Workstations and end-user applications
  • Network devices
  • Embedded systems
  • Others
Further information +

Attack vector

  • No authentication required
  • Remote
  • No user interaction required
Further information on the access vector +

Impact

  • Obtaining of confidential information
  • Security bypass
Further information on the impact +

Remediation

  • Software update patch
Further information on the remediation +

Vulnerable software:

  • OpenSSL versions from 1.0.1 to 1.0.1f. The vulnerability has been fixed in OpenSSL 1.0.1g.

Vulnerable Linux and BSD distributions include:

  • Red Hat Enterprise Linux 6.5 (OpenSSL 1.0.1e)
  • Debian Wheezy (fixed in version 1.0.1e-2+deb7u5)
  • Ubuntu 12.04 LTS, 13.04 and 13.10
  • Gentoo Linux
  • Slackware 14.0, 14.1 and current
  • OpenBSD 5.3 ja 5.4
  • FreeBSD, versions 10.x
  • NetBSD, versions 6.1 - 6.1.3 ja 6.0 - 6.0.4
  • DragonflyBSD 3.6
  • Mandriva Business Server 1
  • CentOS 6.5
  • Scientific Linux 6.5
  • Oracle Linux
  • ClearOS 6.x

Software using a vulnerable version of OpenSSL include:

  • Cisco AnyConnect Secure Mobility Client for iOS
  • Cisco Desktop Collaboration Experience DX650
  • Cisco Unified 7800 series IP Phones
  • Cisco Unified 8961 IP Phone
  • Cisco Unified 9951 IP Phone
  • Cisco Unified 9971 IP Phone
  • Cisco TelePresence Video Communication Server (VCS)
  • Cisco IOS XECisco UCS B-Series (Blade) Servers
  • Cisco UCS C-Series (Stand alone Rack) Servers
  • Cisco Unified Communication Manager (UCM) 10.0
  • FortiGate FortiOS 5.0.5 ja 5.0.6
  • Junos OS 13.3R1
  • Juniper Odyssey client 5.6r5 and newer
  • Juniper SSL VPN (IVEOS) 7.4r1 and newer
  • Juniper SSL VPN (IVEOS) 8.0r1 and newer
  • Juniper UAC 4.4r1 and newer
  • Juniper UAC 5.0r1 and newer
  • Juniper Junos Pulse (Desktop) 5.0r1 and newer
  • Juniper Junos Pulse (Desktop) 4.0r5 and newer
  • Juniper Network Connect (windows) versions 7.4R5 - 7.4R9.1 & 8.0R1 to 8.0R3.1
  • Juniper Junos Pulse (Mobile) on Android 4.2R1 and later
  • Juniper Junos Pulse (Mobile) on iOS 4.2R1
  • F5 BIG-IP LTM versions 11.5.0 - 11.5.1
  • F5 BIG-IP AAM versions 11.5.0 - 11.5.1
  • F5 BIG-IP AFM versions 11.5.0 - 11.5.1
  • F5 BIG-IP Analytics versions 11.5.0 - 11.5.1
  • F5 BIG-IP APM versions 11.5.0 - 11.5.1
  • F5 BIG-IP ASM versions 11.5.0 - 11.5.1
  • F5 BIG-IP GTM versions 11.5.0 - 11.5.1
  • F5 BIG-IP Link Controller 11.5.0 - 11.5.1
  • F5 BIG-IP PEM versions 11.5.0 - 11.5.1
  • F5 BIG-IP PSM versions 11.5.0 - 11.5.1
  • F5 BIG-IP Edge Clients for Apple iOS versions 2.0.0 - 2.0.1 and 1.0.5
  • F5 BIG-IP Edge Clients for Linux versions 7080 - 7101
  • F5 BIG-IP Edge Clients for MAC OS X versions 7080 - 7101 ja 6035 - 7071
  • F5 BIG-IP Edge Clients for Windows versions 7080 - 7101 ja 6035 - 7071
  • OpenVPN 2.3-rc2-I001 - 2.3.2-I003
  • Aruba ArubaOS versions 6.3.x, 6.4.x
  • Aruba ClearPass versions 6.1.x, 6.2.x, 6.3.x
  • Viscosity before version 1.4.8
  • WatchGuard XTM ja XCS before version 11.8.3 CSP
  • Blue Coat Content Analysis System versions 1.1.1.1 - 1.1.5.1
  • Blue Coat Malware Analysis Appliance version 1.1.1
  • Blue Coat ProxyAV versions 3.5.1.1 - 3.5.1.6
  • Blue Coat ProxySG versions 6.5.1.1 - 6.5.3.5
  • Blue Coat SSL Visibility 3.7.0
  • Jolla
  • F-Secure F-Secure Messaging Secure Gateway 7.5
  • F-Secure Protection Service for Email 7.5
  • F-Secure Anti-Theft Portal
  • Synology before version DSM 5.0-4458 Update 2
  • Red Hat Enterprise Virtualization Hypervisor 6.5
  • Red Hat Storage 2.1
  • OpenVPN Access Server 1.8.4 – 2.0.5
  • FortiGate (FortiOS) 5.0.0 - 5.0.6
  • FortiClient 5.x
  • FortiAuthenticator 3.x
  • FortiMail 4.3.x and 5.x
  • FortiVoice 200D, 200D-T jaVM
  • FortiRecorder
  • FortiADC D-Series 1500D, 2000D ja 4000D
  • FortiADC E-Series 3.x
  • Coyote Point Equalizer GX / LX 10.x
  • FortiDDoS 4.x
  • FortiDNS
  • AscenLink v6.5 ja 7.0
  • VMware ESXi 5.5
  • VMware NSX-MH 4.x
  • VMware NSX-V 6.0.x
  • VMware NVP 3.x
  • VMware vCenter Server 5.5
  • VMware vFabric Web Server 5.0.x – 5.3.x
  • VMware Fusion 6.0.x
  • VMware Horizon Mirage Edge Gateway 4.4.x
  • VMware Horizon View 5.3 Feature Pack 1
  • VMware Horizon View Client for Android 2.1.x, 2.2.x, 2.3.x
  • VMware Horizon View Client for iOS 2.1.x, 2.2.x, 2.3.x
  • VMware Horizon View Client for Windows 2.3.x
  • VMware Horizon Workspace 1.0
  • VMware Horizon Workspace 1.5
  • VMware Horizon Workspace 1.8
  • VMware Horizon Workspace Client for Macintosh 1.5.1
  • VMware Horizon Workspace Client for Macintosh 1.5.2
  • VMware Horizon Workspace Client for Windows 1.5.1
  • VMware Horizon Workspace Client for Windows 1.5.2
  • VMware Horizon Workspace for Macintosh 1.8
  • VMware Horizon Workspace for Windows 1.8
  • VMware OVF Tool 3.5.0
  • VMware vCloud Networking and Security (vCNS) 5.1.3
  • VMware vCloud Networking and Security (vCNS) 5.5.1
  • DD-WRT (Open-source router firmware)
  • OpenWRT (Open-source router firmware)
  • McAfee ePolicy Orchestrator
  • McAfee Next Generation Firewall (Stonesoft)
  • McAfee Firewall Enterprise
  • McAfee Enterprise Security Manager (Nitro)
  • McAfee Email Gateway
  • McAfee Web Gateway
  • McAfee Security for Microsoft Exchange
  • McAfee Security for Microsoft Sharepoint
  • McAfee Security for Lotus Domino
  • Dell SonicWALL SRA SMB Secure Remote Access (Server Side Firmware) 7.0.0.10-26sv and all previous 7.0 versions 7.5.0.3-19sv and all previous 7.5 versions
  • Dell SonicWALL SRA E-Class Secure Remote Access (Aventail) (E-Class SRA Server Software) Software version 10.6.4 Software versions 10.7.0 and 10.7.1
  • Dell SonicWALL SRA Global Management System (GMS) and Analyzer GMS and Analyzer 7.2 on a Windows platform only NGINX
  • Extreme Networks Black Diamond Series X8, 8900 and 8800 EXOS versio 15.4.1
  • Extreme Networks Summit Series X770, X670, X480, X460, X440, X430, E4G-200 and E4G-400 EXOS version 15.4.1
  • Extreme Networks 64-bit (Ubuntu) hardware-based and virtual NetSight appliances; versions 4.4, 5.0, 5.1, ja 6.0
  • Extreme Networks 64-bit (Ubuntu) hardware-based and virtual NAC & IA appliances; versions 5.0, 5.1, ja 6.0
  • Extreme Networks 64-bit (Ubuntu) hardware-based and virtual Purview appliances; versions 6.0
  • NetApp Clustered Data ONTAP® Antivirus Connector
  • NetApp Data ONTAP® Storage Management Initiative Specification (SMI-S) Agent
  • NetApp Manageability SDK (5.0P1 and later)
  • NetApp OnCommand® Unified Manager Core Package (5.x)
  • NetApp OnCommand® Workflow Automation (2.2RC1)
  • NetApp SnapProtect® (10.0 and service packs)
  • NetApp Storage Management Initiative Specification (SMI-S) Providers for E-Series
  • Blue Coat Content Analysis System CAS 1.1.1.1 - 1.1.5.1 (inclusive)
  • Blue Coat Malware Analysis Appliance 1.1
  • Blue Coat ProxyAV 3.5.1.1 - 3.5.1.6 (inclusive)
  • Blue Coat ProxySG 6.5.1.1 - 6.5.3.5 (inclusive)
  • Blue Coat SSL Visibility 3.7.0
  • neXus Hybrid Access Gateway 5.2
  • Barracuda Web Filter Version 7.0 - 7.1
  • Barracuda Message Archiver Version 3.5 ja 3.6
  • Barracuda Web Application Firewall Version 7.8
  • Barracuda Link Balancer Version 2.5
  • Barracuda Load Balancer Version 4.2
  • Barracuda Load Balancer ADC Versions 5.0 - 5.1
  • Barracuda Cudatel Version 3.0 and earlier
  • Barracuda Cloud Control
  • Barracuda Backup Service
  • Barracuda Email Security Service
  • Barracuda Copy
  • Barracuda SignNow
  • NGINX
  • pfSense
  • Oracle Communications Operations Monitor
  • Oracle MySQL Enterprise Monitor
  • Oracle MySQL Enterprise Server version 5.6
  • Oracle Communications Session Monitor
  • Oracle Linux
  • Oracle Mobile Security Suite
  • Oracle Solaris 11.2
  • Oracle BlueKai
  • Oracle Java ME - JSRs and Optional Packages
  • Oracle Java ME - Mobile and Wireless
  • Oracle MySQL Connector/C
  • Oracle MySQL Connector/ODBC
  • Oracle MySQL Workbench
  • Oracle Communications Internet Name and Address Management
  • Oracle Communications Application Session Controller
  • Oracle Communications Interactive Session Recorder 5.1
  • Oracle Communications Network Charging and Control
  • Oracle Communications Session Delivery Management Suite
  • Oracle Communications Session Monitor
  • Oracle Communications WebRTC Session Controller
  • Oracle Primavera P6 Prof Project Management

Possible solutions and restrictive measures:

Patch the vulnerable software components according to the guidance published by the vendor. Restart affected services after the update.

The vulnerability can be mitigated by disabling the affected components. This can be done by compiling OpenSSL with the configuration option -DNO_OPENSSL_HEARTBEATS.

Further information:

Updates


Contact Information

NCSC-FI Vulnerability Coordination can be contacted as follows:

Email: vulncoord@ficora.fi

Please quote the advisory reference [FICORA #788210] in the subject line

Other contact details

NCSC-FI Vulnerability Coordination encourages those who wish to communicate via email to make use of our PGP key.

The NCSC-FI Vulnerability Coordination policy can be viewed here.


Revision History

8 Apr 2014, 07:45 UTC: Published

10 Apr 2014, 11:07 UTC: Updated vendor list and references

10 Apr 2014, 12:12 UTC: Removed erroneously added CheckPoint products from listing

10 Apr 2014, 13:27 UTC: Fixed affected FreeBSD versions

11 Apr 2014, 17:27 UTC: Updated vendor list and references (Jolla, F-Secure)

12 Apr 2014, 21:39 UTC: Updated vendor list and references (Synology)

14 Apr 2014, 09:40 UTC: Updated vendor list and references (Red Hat, OpenVPN Acces Server, Forti, VMware, CentOS, Scientific Linux, DD-WRT, OpenWRT)

15 Apr 2014, 08:50 UTC: Updated vendor list and references (McAfee, Dell Sonicwall, Extreme Networks, NetApp, Blue Coat, neXus, Barracuda, NGINX)

16 Apr 2014, 07:20 UTC: Updated vendor list and references (PfSense, Oracle)

22 Apr 2014, 08:02 UTC: Updated vendor list and references (ClearOS)

Update history

Key words: Information security , Cyber security , Network equipment , Networks , Protection of privacy , Risk management , Server , Vulnerability coordination , Workstation , Vulnerabilities

LinkedIn Print

logo

The Finnish Communications Regulatory Authority (FICORA)

The National Cyber Security Centre Finland (NCSC-FI)

Itämerenkatu 3 A

P.O. Box 313

FI-00180 HELSINKI


Media contacts by telephone +358 295 390 248