Security Bulletin: IBM Endpoint Manager 9.1.1065 - OpenSSL TLS Heartbeat Read Overrun Vulnerability
APTNinja 270003VJ12 Visits (7139)
There is an OpenSSL vulnerability that could allow an attacker to compromise the IBM Endpoint Manager root server signing key. Both Windows and Linux server deployments are affected. Note that the site admin key cannot be compromised using this vulnerability.
* If you are using Endpoint Manager 9.0 or earlier, you are unaffected. You should delay upgrading to 9.1 until a patch is released. We have removed the 9.1 upgrade fixlets from BES Support.
* If you are using Endpoint Manager 9.1, you can mitigate your exposure to this vulnerability by taking the following steps until a 9.1 patch is released:
An OpenSSL vulnerability was announced today in versions 1.0.1 and 1.0.2 of OpenSSL. This vulnerability is officially named "TLS heartbeat read overrun (CVE-2014-0160)" and has come to be colloquially named "The Heartbleed Bug".
Official advisory : http
More details : http
Any software that uses an affected version of OpenSSL and is a TLS server is vulnerable.
This vulnerability affects IBM Endpoint Manager version 9.1. Other versions of Endpoint Manager (9.0.* and earlier) are not affected by this vulnerability because they use an earlier version of OpenSSL.
This vulnerability impacts IBM Endpoint Manager in several ways. An attacker that can send network requests to the root server can read the root server's memory and obtain the server signing private key. This key could be used, as part of a man-in-the-middle attack, to impersonate the root server and obtain console login credentials. It can also be used to forge actions that agents will accept as authentic.
An attacker that can send network requests to a 9.1 relay can read the relay's memory and obtain the private key of the agent on the relay machine. This key can be used to read the contents of mailboxes and secure parameters sent to the target agent. It can also be used to impersonate reports from the agent that the server will accept as genuine.
If you are using any custom SSL certificates for a 9.1 root server or web reports server, the private keys for those certificates could be compromised.
If you are using these keys on any other systems, you should rotate them immediately.
The IBM Endpoint Manager team is working on a patch release that will fix this vulnerability. We will make this patch available as soon as possible, and we recommend that you make plans to upgrade from 9.1 to the patch release as soon as it is available.