Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0509 FSC-2014-1: Notice on OpenSSL 'Heartbleed' Vulnerability 15 April 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F-Secure Server Security F-Secure E-mail and Server Security F-Secure PSB Server Security F-Secure E-mail and Server Security F-Secure Messaging Secure Gateway F-Secure Protection Service for Email F-Secure SAFE F-Secure Key F-Secure Freedome F-Secure Lokki F-Secure Safe Avenue F-Secure Safe Search F-Secure Safe Profile F-Secure Anti-Theft Portal Publisher: F-Secure Operating System: Windows Network Appliance Impact/Access: Access Privileged Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-0160 Reference: ASB-2014.0042 ESB-2014.0457 Original Bulletin: http://www.f-secure.com/en/web/labs_global/fsc-2014-1 - --------------------------BEGIN INCLUDED TEXT-------------------- FSC-2014-1: Notice on OpenSSL 'Heartbleed' Vulnerability Brief Description HeartBleed is a critical security vulnerability (CVE-2014-0160) in the OpenSSL cryptographic library, which is widely used by online sites and web-based services to provide secure connections. The vulnerability potentially allows an attacker to silently read information from the memory of a server. This means highly confidential information, such as web server private keys and user passwords, could be copied by an attacker. This advisory will be updated as additional information becomes available. Products Risk Level: CRITICAL (Low/Medium/High/Critical) Corporate products F-Secure Server Security / E-mail and Server Security 10.x – 11 PSB Server Security / Email Server Security 10.00 F-Secure Messaging Secure Gateway 7.5 Protection Service for Email 7.5 Consumer products F-Secure SAFE F-Secure Key F-Secure Freedome Lokki Affected Platforms Risk Level: CRITICAL (Low/Medium/High/Critical) Consumer platforms: Safe Avenue Safe Search Safe Profile Anti-Theft Portal Notes The following products and platforms are affected and already patched. Product /Platform Requires Remarks User Action? (Y/N) F-Secure SAFE Y Since F-Secure SAFE portal requires a web log-in (MySafe), we suggest you change your passwords as we suggest to do with any other online services. 1. Log-in to SAFE portal at https://mysafe.f-secure.com/login. 2. Change your password on the tab "Account details". Safe Avenue N Safe Profile N Safe Search N F-Secure Key N F-Secure Key servers were affected by the vulnerability, however all data stored in F-Secure Key is safe. Data can only be accessed on users device and users do not have to change their Master Password because of the Heartbleed vulnerability. F-Secure Freedome N F-Secure Messaging Y 1. Regenerate server's private keys and certificates, and revoke old certificates. Secure Gateway 7.5 2. Change Administrator user passwords. Protection Service for Y 1. Change Administrator user passwords. Email 7.5 F-Secure Server Y 1. Download and apply corresponding hotfix. See "Fix Available" section. Security 2. Regenerate server’s private keys and certificates, and revoke old certificates. 3. Restart F-Secure Web UI Daemon service. 4. Change Aministrator user passwords. F-Secure E-mail and Y 1. Download and apply corresponding hotfix. See "Fix Available" section. Server Security 2. Regenerate server’s private keys and certificates, and revoke old certificates. 3. Restart F-Secure Web UI Daemon service. 4. Change Aministrator user passwords. F-Secure PSB Server Y PSB ESS 10.00 MF1 which addresses HeartBleed vulnerability (CVE-2014-0160) will be available starting from today 14th April 2014 via channel upgrade. It is recommended that on top of this multifix users should regenerate their certificates and change their passwords at the endpoint. Security 1. Create a new server self-signed certificate by using makecert.bat Windows Batch File. It can be found in F-Secure\Web User Interface\Bin folder. 2. Change passwords for accounts used to login to the Web User Interface. F-Secure PSB E-mail Y PSB ESS 10.00 MF1 which addresses HeartBleed vulnerability (CVE-2014-0160) will be available starting from today 14th April 2014 via channel upgrade. It is recommended that on top of this multifix users should regenerate their certificates and change their passwords at the endpoint. and Server Security 1. Create a new server self-signed certificate by using makecert.bat Windows Batch File. It can be found in F-Secure\Web User Interface\Bin folder. 2. Change passwords for accounts used to login to the Web User Interface. Anti-Theft Portal Y 1. Change all user passwords. Lokki N Fix Available Product Versions Download F-Secure E-mail and 10.x - 11.00 Hotfix: ftp://ftp.f-secure.com/support/hotfix/fsss/FSESS1100-HF01-signed.fsfix Server Security ftp://ftp.f-secure.com/support/hotfix/fsss/FSESS1100-HF01-signed.jar F-Secure E-mail and 11.00 Hotfix: ftp://ftp.f-secure.com/support/hotfix/fsss/FSESSPR1100-HF01-signed.fsfix Server Security Premium ftp://ftp.f-secure.com/support/hotfix/fsss/FSESSPR1100-HF01-signed.jar F-Secure Server 10.x - 11.00 Hotfix: ftp://ftp.f-secure.com/support/hotfix/fsss/FSSS1100-HF01-signed.fsfix Security ftp://ftp.f-secure.com/support/hotfix/fsss/FSSS1100-HF01-signed.jar F-Secure Server 11.00 Hotfix: ftp://ftp.f-secure.com/support/hotfix/fsss/FSSSPR1100-HF01-signed.fsfix Security Premium ftp://ftp.f-secure.com/support/hotfix/fsss/FSSSPR1100-HF01-signed.jar Applying Hotfixes Standalone computers: 1. Double-click on the downloaded .fsfix file and follow the instructions. Centrally managed computers: 1. In F-Secure Policy Manager Console, select Installation tab. Import the downloaded jar file. 2. Select appropriate domain or host and under "Installed products summary". 3. Use "hotfix" action for F-Secure E-Mail and Server Security product. Select this hotfix and distribute policies. Date Issued: 2014-04-11 Date Last Updated: 2014-04-14 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU0ygqBLndAQH1ShLAQLIERAAvMcesFRWhkAwmthAJpOCFimAgBwF4h/P ICF+zCdZRVSi5nC2kIAPJe1x9Ld05IgMeaxDhI+0vwkBVo5cvU3h39rms4hZFGRP Q9Agdh0Yic80h7qlMng7jsJLkSsuAdZZxVi5sKRPqI3gxosTdDTnhiRUx4y9+htR ZvFNw4+BAdqzQWfAO/UBnvoZbGBrTtEY70sg/WBU9JGU4kGQjQyBlEYmp4tW8wxm 8Liuf2ttYp8Ah7PNiVz4lCfvV5VpKJ/pL7fykvD+mePB3F+Kj/46qmy4ArJ1E03d bo7Aq6bdCdteJ+NAmtCyHSY/gPGBvi9MOaw0SLF50YfEjGWdOFC81jcb+NXDYRex B6n7JWSvQIDqRO35O3nf2aiB/NOGGYlNTj9JAbk7i9k3Smsdk9jvGqpeoJm2r29B LIXUnj4bOfhbgb2KjjXQK3aJkwYvRZrztpmWxOSAoeFRYb/cAfhUC4IjiHOE95Ak WzbRilI695o8DnhlnoyONnIp8dYp/UZd9uL6Lm5cxk2OQjyw6v0/CXyePuzQvvAL 5+MxaEfPaxlK8FJ/SM2FfCIWqC3vs6O9kmZm0jXdZj+P7eM+Ykehca2P79Fy5UXh ZuVVT81/xt7nt9VoTp0gqUbVUdAQLWKa4/HfAwIGS48neKWxvSYq8aj+h2GhoJya leLOR5D2Upc= =ovVJ -----END PGP SIGNATURE-----