14 April 2014
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0051 Barracuda Networks products and CVE-2014-0160: OpenSSL Heartbleed vulnerability 14 April 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Barracuda Web Application Firewall Barracuda Web Filter Barracuda Message Archiver Barracuda Firewall Barracuda Load Balancer ADC Barracuda Load Balancer Barracuda Link Balancer Cudatel Barracuda Email Security Service Barracuda Backup Service Barracuda Cloud Control Copy SignNow Operating System: Network Appliance Impact/Access: Access Privileged Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-0160 Member content until: Wednesday, May 14 2014 Reference: ASB-2014.0042 ESB-2014.0457 OVERVIEW A vulnerability has been reported in multiple Barracuda products. IMPACT Barracuda has provided the following details regarding these issues: "On April 7, 2014 an exploitable vulnerability in OpenSSL was reported by US-CERT/NIST. OpenSSL is widely used in internet infrastructures, and this vulnerability was introduced into OpenSSL in December 2011. The vulnerability is the result of a missing bounds check in the OpenSSL code that handles the TLS 'heartbeat' messages. Someone with malicious intent can exploit this vulnerability by requesting that a running TLS server return up to 64KB of its private memory space. Since this is the same memory space where OpenSSL stores the server's private key material, an attacker can potentially obtain long-term server private keys, TLS session keys, or usernames / passwords. The vulnerability was first introduced in OpenSSL release version 1.0.1 on March 14, 2012. OpenSSL 1.0.1g, released on April 7, 2014, fixes the vulnerability. See https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 for additional details."  MITIGATION The vendor recommends upgrading to the latest version of the affected product. Information on updates is available on Barracuda's product management blog: http://cuda.co/heartbleed REFERENCES  Tech Alerts https://www.barracuda.com/support/techalerts AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU0tWERLndAQH1ShLAQI9YxAAjtfIbDm9Q306mjYXoou9G/Y4GHksulZ9 w5jxSRMtjrDxlXtn301voPx7mst/Mq/wIMKnIi5cd7aq5xir6EySFCu6GOXOpyEF X8sk/GIfKF702z3d9ZVSyMhYeDiB6eXXCTyXMsPVUpqk3zy2xb8EDK6xI3rEoi0e rNNoa5IAzv1O1oQNQ/qNTiYWWEcg6QrLwah+6Lv6+FtJQa7VN+cuzsBM2nvKjqY3 w2bIipMDWeTImmvNjDcPMEDLQi3Hqtrb21REoyD3roexYYo8nLxFAzp/6uiYAWi7 Enq6EgSprY9RHbV74uTICLh+Pa5D+djwMEq8vWzs1qNvkFs6p3ajWQBol2EHlMJb ZKgG+MqtFzrVShu/ppXKzgZcP/6qC/RRYdtVwce8Zv9ALJCPVe4FAz8zUWTNrOi+ Dj4G9LkoHWujfd55eOX8LpWQ0TbiWKjfUBz6qcS+1JnLreFBRaQvBqkioU46BW+E vGBUys0CJJHgg2CXPeUVbN8+kQ2+qXeRS3GWbEqFtzk/hJs4QlviJFkEpxm+JZWv pzTBZ0a5NEqxJ/L6pK+vavSOCOYA5APl0zBmQIjpasogJeT3iE5W4mjd7EY/qPAY 3EG1ysOen09PdXQvLlU0bgm6wI8d5Ucw3SBuycqlP/5WzNAyHyMHJgrcJ9+QPY4A E1va/sICN+Q= =m0QQ -----END PGP SIGNATURE-----