[BESAdmin-Announcements] IBM Endpoint Manager 9.1.1065 - OpenSSL TLS Heartbeat Read Overrun Vulnerability
Announcements for BES Administrators
besadmin-announcements at bigmail.bigfix.com
Mon Apr 7 18:33:39 PDT 2014
There is an OpenSSL vulnerability that could allow an attacker to
compromise
the IBM Endpoint Manager root server signing key. Both Windows and Linux
server deployments are affected. Note that the site admin key cannot be
compromised using this vulnerability.
IMMEDIATE ACTIONS:
* If you are using Endpoint Manager 9.0 or earlier, you are unaffected. You
should delay upgrading to 9.1 until a patch is released. We have removed
the
9.1 upgrade fixlets from BES Support.
* If you are using Endpoint Manager 9.1, you can mitigate your exposure to
this vulnerability by taking the following steps until a 9.1 patch is
released:
1) Limit network access to the root server to only trusted hosts.
2) Rotate the server signing key on the root server on a regular basis
[a].
3) If any custom HTTPS keys are being used in the root server or web
reports, those keys should also be rotated.
4) Avoid sending any sensitive data via mailboxes or secure parameters
to
relays or the root server.
5) Consider temporarily disconnecting any internet-facing relays.
[a] http://www-01.ibm.com/support/docview.wss?uid=swg21669587
BACKGROUND:
An OpenSSL vulnerability was announced today in versions 1.0.1 and 1.0.2 of
OpenSSL. This vulnerability is officially named "TLS heartbeat read overrun
(CVE-2014-0160)" and has come to be colloquially named "The Heartbleed
Bug".
Official advisory : http://www.openssl.org/news/secadv_20140407.txt
More details : http://heartbleed.com
Any software that uses an affected version of OpenSSL and is a TLS server
is
vulnerable.
This vulnerability affects IBM Endpoint Manager version 9.1. Other versions
of
Endpoint Manager (9.0.* and earlier) are not affected by this vulnerability
because they use an earlier version of OpenSSL.
IMPACT:
This vulnerability impacts IBM Endpoint Manager in several ways. An
attacker
that can send network requests to the root server can read the root
server's
memory and obtain the server signing private key. This key could be used,
as
part of a man-in-the-middle attack, to impersonate the root server and
obtain
console login credentials. It can also be used to forge actions that agents
will accept as authentic.
An attacker that can send network requests to a 9.1 relay can read the
relay's
memory and obtain the private key of the agent on the relay machine. This
key
can be used to read the contents of mailboxes and secure parameters sent to
the target agent. It can also be used to impersonate reports from the agent
that the server will accept as genuine.
If you are using any custom SSL certificates for a 9.1 root server or web
reports server, the private keys for those certificates could be
compromised.
If you are using these keys on any other systems, you should rotate them
immediately.
REMEDIATION:
The IBM Endpoint Manager team is working on a patch release that will fix
this
vulnerability. We will make this patch available as soon as possible, and
we
recommend that you make plans to upgrade from 9.1 to the patch release as
soon
as it is available.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20140407/3942490e/attachment.html>
More information about the Besadmin-announcements
mailing list