Advisory: OpenSSL package / Heartbleed Extension Vulnerability
Dear Raritan Customers,
It was recently discovered that some Raritan products incorporate a version of the OpenSSL package affected by the Heartbleed Extension Vulnerability. The vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension:
heartbleed.com
As a precaution, Raritan has released new firmware versions that address this vulnerability. We recommend that you take the time to understand if your products are impacted. If they are, please upgrade your Raritan products according to the available F/W fixes.
Updates will be posted as information becomes available.
DESCRIPTION:
A critical security issue (CVE-2014-0160) was found in OpenSSL version 1.0.1 through 1.0.1f. Also, variably referred to as the Heartbleed or Heartbeat bug. The Heartbleed bug is in the implementation of the heartbeat TLS extension. See the Additional Comments section below for details.
ROOT CAUSE:
From
heartbleed.com: What versions of OpenSSL are affected?
- OpenSSL 1.0.1 through 1.0.1f (inclusive) ARE vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
IMPACT ON RARITAN PRODUCTS:
Below is the list of Raritan products summarizing whether they are impacted or not (based on the OpenSSL version they are running):
Product | OpenSSL Version | Impact | Comment |
Power IQ 4.1.2 | Openssl-1.0.0-27.el6_4.2.x86_64 | Not vulnerable | |
dcTrack 3.1.0 | Openssl-0.9.8e-12.el5_5.7 | Not vulnerable | |
DSX 3.4 | OpenSSL 0.9.7m | Not vulnerable | |
CC-SG 5.4.0 | Openssl-0.9.8e-12.el5_4.6 | Not vulnerable | |
DKX2 2.6.0 | Openssl-0.9.8 | Not vulnerable | |
DKSXII, DLX,
DKX2-101-V2 | Openssl-0.9.8 | Not vulnerable | |
DPX1 | OpenSSL 0.9.8 | Not vulnerable | |
EMX2 | openssl-1.0.1c | Vulnerable | Upgrade to Release 2.5.1 |
DPX2 2.4.x
BCM24xx
PXE | openssl-1.0.1c | Vulnerable | Upgrade to Firmware 2.5.30 |
DPX3/TS | openssl-1.0.1c | Vulnerable | Upgrade to Firmware 2.6.1 |
DKX III | openssl-1.0.1c | Vulnerable | Upgrade to Firmware 3.0.1 |
CC-SG 6.0 | Openssl-1.0.1e-15.el6.x86_64 | Vulnerable | Upgrade to Version 6.0.0 |
Recovery Procedure:
Raritan recommends that customers consult their security experts and take appropriate actions to recover from this vulnerability including installing new SSL certificates and changing passwords.