-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0509
         FSC-2014-1: Notice on OpenSSL 'Heartbleed' Vulnerability
                               15 April 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F-Secure Server Security
                   F-Secure E-mail and Server Security
                   F-Secure PSB Server Security
                   F-Secure E-mail and Server Security
                   F-Secure Messaging Secure Gateway
                   F-Secure Protection Service for Email
                   F-Secure SAFE
                   F-Secure Key
                   F-Secure Freedome
                   F-Secure Lokki
                   F-Secure Safe Avenue
                   F-Secure Safe Search
                   F-Secure Safe Profile
                   F-Secure Anti-Theft Portal
Publisher:         F-Secure
Operating System:  Windows
                   Network Appliance
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0160  

Reference:         ASB-2014.0042
                   ESB-2014.0457

Original Bulletin: 
   http://www.f-secure.com/en/web/labs_global/fsc-2014-1

- --------------------------BEGIN INCLUDED TEXT--------------------

FSC-2014-1: Notice on OpenSSL 'Heartbleed' Vulnerability
 
Brief Description

HeartBleed is a critical security vulnerability (CVE-2014-0160) in the OpenSSL 
cryptographic library, which is widely used by online sites and web-based 
services to provide secure connections. The vulnerability potentially allows 
an attacker to silently read information from the memory of a server. This 
means highly confidential information, such as web server private keys and 
user passwords, could be copied by an attacker.

This advisory will be updated as additional information becomes available.
 
Products
Risk Level: CRITICAL (Low/Medium/High/Critical)

Corporate products
F-Secure Server Security / E-mail and Server Security 10.x – 11
PSB Server Security / Email Server Security 10.00
F-Secure Messaging Secure Gateway 7.5
Protection Service for Email 7.5

Consumer products
F-Secure SAFE
F-Secure Key
F-Secure Freedome
Lokki
 
 
Affected Platforms
Risk Level: CRITICAL (Low/Medium/High/Critical)

Consumer platforms:
Safe Avenue
Safe Search
Safe Profile
Anti-Theft Portal
 
Notes
The following products and platforms are affected and already patched.

Product /Platform	Requires Remarks
			User 
			Action? 
			(Y/N)	
F-Secure SAFE	 	Y	Since F-Secure SAFE portal requires a web log-in (MySafe), we suggest you change your passwords as we suggest to do with any other online services.
				1. Log-in to SAFE portal at https://mysafe.f-secure.com/login.
				2. Change your password on the tab "Account details".

Safe Avenue	 	N	 

Safe Profile	 	N	
 
Safe Search	 	N	
 
F-Secure Key	 	N	F-Secure Key servers were affected by the vulnerability, however all data stored in F-Secure Key is safe. Data can only be accessed on users device and users do not have to change their Master Password because of the Heartbleed vulnerability.

F-Secure Freedome	N	

F-Secure Messaging 	Y	1. Regenerate server's private keys and certificates, and revoke old certificates.
Secure Gateway 7.5	 	2. Change Administrator user passwords.	

Protection Service for	Y	1. Change Administrator user passwords.
Email 7.5	 

F-Secure Server 	Y	1. Download and apply corresponding hotfix. See "Fix Available" section.
Security	 		2. Regenerate server’s private keys and certificates, and revoke old certificates.
				3. Restart F-Secure Web UI Daemon service.
				4. Change Aministrator user passwords.

F-Secure E-mail and 	Y	1. Download and apply corresponding hotfix. See "Fix Available" section.
Server Security	 		2. Regenerate server’s private keys and certificates, and revoke old certificates.
				3. Restart F-Secure Web UI Daemon service.
				4. Change Aministrator user passwords.
F-Secure PSB Server 	Y	PSB ESS 10.00 MF1 which addresses HeartBleed vulnerability (CVE-2014-0160) will be available starting from today 14th April 2014 via channel upgrade. It is recommended that on top of this multifix users should regenerate their certificates and change their passwords at the endpoint.
Security	 		1. Create a new server self-signed certificate by using makecert.bat Windows Batch File. It can be found in F-Secure\Web User Interface\Bin folder.
				2. Change passwords for accounts used to login to the Web User Interface.

F-Secure PSB E-mail 	Y	PSB ESS 10.00 MF1 which addresses HeartBleed vulnerability (CVE-2014-0160) will be available starting from today 14th April 2014 via channel upgrade. It is recommended that on top of this multifix users should regenerate their certificates and change their passwords at the endpoint. 
and Server Security		1. Create a new server self-signed certificate by using makecert.bat Windows Batch File. It can be found in F-Secure\Web User Interface\Bin folder.
				2. Change passwords for accounts used to login to the Web User Interface.

Anti-Theft Portal	Y	1. Change all user passwords.

Lokki	 		N	 
 

Fix Available
 

Product			Versions	Download
F-Secure E-mail and 	10.x - 11.00	Hotfix:	ftp://ftp.f-secure.com/support/hotfix/fsss/FSESS1100-HF01-signed.fsfix
Server Security				ftp://ftp.f-secure.com/support/hotfix/fsss/FSESS1100-HF01-signed.jar

F-Secure E-mail and 	11.00		Hotfix: ftp://ftp.f-secure.com/support/hotfix/fsss/FSESSPR1100-HF01-signed.fsfix
Server Security Premium			ftp://ftp.f-secure.com/support/hotfix/fsss/FSESSPR1100-HF01-signed.jar

F-Secure Server 	10.x - 11.00	Hotfix: ftp://ftp.f-secure.com/support/hotfix/fsss/FSSS1100-HF01-signed.fsfix
Security				ftp://ftp.f-secure.com/support/hotfix/fsss/FSSS1100-HF01-signed.jar

F-Secure Server 	11.00		Hotfix: ftp://ftp.f-secure.com/support/hotfix/fsss/FSSSPR1100-HF01-signed.fsfix
Security Premium			ftp://ftp.f-secure.com/support/hotfix/fsss/FSSSPR1100-HF01-signed.jar


Applying Hotfixes

Standalone computers:
1. Double-click on the downloaded .fsfix file and follow the instructions.

Centrally managed computers:
1. In F-Secure Policy Manager Console, select Installation tab. Import the 
downloaded jar file.
2. Select appropriate domain or host and under "Installed products summary".
3. Use "hotfix" action for F-Secure E-Mail and Server Security product. Select 
this hotfix and distribute policies.
 
 
Date Issued: 2014-04-11
Date Last Updated: 2014-04-14

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU0ygqBLndAQH1ShLAQLIERAAvMcesFRWhkAwmthAJpOCFimAgBwF4h/P
ICF+zCdZRVSi5nC2kIAPJe1x9Ld05IgMeaxDhI+0vwkBVo5cvU3h39rms4hZFGRP
Q9Agdh0Yic80h7qlMng7jsJLkSsuAdZZxVi5sKRPqI3gxosTdDTnhiRUx4y9+htR
ZvFNw4+BAdqzQWfAO/UBnvoZbGBrTtEY70sg/WBU9JGU4kGQjQyBlEYmp4tW8wxm
8Liuf2ttYp8Ah7PNiVz4lCfvV5VpKJ/pL7fykvD+mePB3F+Kj/46qmy4ArJ1E03d
bo7Aq6bdCdteJ+NAmtCyHSY/gPGBvi9MOaw0SLF50YfEjGWdOFC81jcb+NXDYRex
B6n7JWSvQIDqRO35O3nf2aiB/NOGGYlNTj9JAbk7i9k3Smsdk9jvGqpeoJm2r29B
LIXUnj4bOfhbgb2KjjXQK3aJkwYvRZrztpmWxOSAoeFRYb/cAfhUC4IjiHOE95Ak
WzbRilI695o8DnhlnoyONnIp8dYp/UZd9uL6Lm5cxk2OQjyw6v0/CXyePuzQvvAL
5+MxaEfPaxlK8FJ/SM2FfCIWqC3vs6O9kmZm0jXdZj+P7eM+Ykehca2P79Fy5UXh
ZuVVT81/xt7nt9VoTp0gqUbVUdAQLWKa4/HfAwIGS48neKWxvSYq8aj+h2GhoJya
leLOR5D2Upc=
=ovVJ
-----END PGP SIGNATURE-----