security advisories

FSC-2014-1: Notice on OpenSSL 'Heartbleed' Vulnerability

Description


HeartBleed is a critical security vulnerability (CVE-2014-0160) in the OpenSSL cryptographic library, which is widely used by online sites and web-based services to provide secure connections. The vulnerability potentially allows an attacker to silently read information from the memory of a server. This means highly confidential information, such as web server private keys and user passwords, could be copied by an attacker.

This advisory will be updated as additional information becomes available.

Affected Products


Risk Level: CRITICAL (Low/Medium/High/Critical)

Corporate products

  • F-Secure Server Security / E-mail and Server Security 10.x – 11
  • PSB Server Security / Email Server Security 10.00
  • F-Secure Messaging Secure Gateway 7.5
  • Protection Service for Email 7.5

Consumer products

  • F-Secure Search
  • Safe Profile
  • F-Secure Key
  • F-Secure Freedome
  • F-Secure Lokki

 

Affected Platforms

Risk Level: CRITICAL (Low/Medium/High/Critical)

Consumer platforms:

  • F-Secure Community
  • F-Secure SAFE Portal
  • F-Secure MyAccount Portal
  • Safe Avenue
  • Anti-Theft Portal
     

Notes

The following products and platforms are affected and already patched.

Products and platforms not listed in this advisory are NOT affected by Heartbleed.

Product/Platform Requires User Action? (Y/N) Remarks
F-Secure Community N  
F-Secure SAFE Portal Y

Since F-Secure SAFE portal requires a web log-in (MYSafe), we suggest you change your passwords

as we suggest to do with any other online services.

  1. Log-in to SAFE portal at https://mysafe.f-secure.com/login
  2. Change your password on the tab "Account details".
F-Secure MYAccount Portal Y
  1. Log-in to MyAccount portal at https://shop.f-secure.com/cgi-bin/shop/ml=EN?mode=info
  2. Change your account password.
SAFE Avenue Y  
Safe Profile Y  
 F-Secure Search Y  
 F-Secure Key N F-Secure Key servers were affected by the vulnerability, however all data stored in F-Secure Key is safe. Data can only be accessed on users device and users do not have to change their Master Password because of the Heartbleed vulnerability.
F-Secure Freedome N  
F-Secure Messaging Secure Gateway 7.5 N
  1. Verify that patch has been installed.
  2. Instruct administrator to generate certificate request (CSR) or self-signed certificate.
  3. Change the password for the administrators account.

Detailed guidance can be found here: Guidance for OpenSSL vulnerability CVE-2014-0160 MSG and PSE.pdf

Protection Service for Email 7.5 Y
  1. Verify that patch has been installed.
  2. Change the password for the administrators account.
Detailed guidance can be found here: Guidance for OpenSSL vulnerability CVE-2014-0160 MSG and PSE.pdf
F-Secure Server Security Y
  1. Download and apply corresponding hotfix. See "Fix Available" section.
  2. Create a new server self-signed certificate by using makecert.bat Windows Batch File. It can be found in F-Secure\Web User Interface\Bin folder.
  3. Change passwords for accounts used to login to the Web User Interface.

Detailed guidance can be found here: Guidance for OpenSSL vulnerability CVE-2014-0160 Email Server security - Server Security.pdf

F-Secure E-mail and Server Security Y
  1. Download and apply corresponding hotfix. See "Fix Available" section.
  2. Create a new server self-signed certificate by using makecert.bat Windows Batch File. It can be found in F-Secure\Web User Interface\Bin folder.
  3. Change passwords for accounts used to login to the Web User Interface.

Detailed guidance can be found here: Guidance for OpenSSL vulnerability CVE-2014-0160 Email Server security - Server Security.pdf

F-Secure PSB Server Security Y PSB ESS 10.00 MF1 which addresses HeartBleed vulnerability (CVE-2014-0160) will be available starting from today 14th April 2014 via channel upgrade. It is recommended that on top of this multifix users should regenerate their certificates and change their passwords at the endpoint.
  1. Create a new server self-signed certificate by using makecert.bat Windows Batch File. It can be found in F-Secure\Web User Interface\Bin folder.
  2. Change passwords for accounts used to login to the Web User Interface.

Detailed guidance can be found here: Guidance for OpenSSL vulnerability CVE-2014-0160 PSB Email Server security.pdf

F-Secure PSB E-mail and Server Security Y PSB ESS 10.00 MF1 which addresses HeartBleed vulnerability (CVE-2014-0160) will be available starting from today 14th April 2014 via channel upgrade. It is recommended that on top of this multifix users should regenerate their certificates and change their passwords at the endpoint.
  1. Create a new server self-signed certificate by using makecert.bat Windows Batch File. It can be found in F-Secure\Web User Interface\Bin folder.
  2. Change passwords for accounts used to login to the Web User Interface.

Detailed guidance can be found here: Guidance for OpenSSL vulnerability CVE-2014-0160 PSB Email Server security.pdf

Anti-Theft Portal Y Change all user passwords.
 F-Secure Lokki N  

 

Fix Available

Product Versions Download
F-Secure E-mail and Server Security 10.x - 11.00 Hotfix:
ftp://ftp.f-secure.com/support/hotfix/fsss/FSESS1100-HF01-signed.fsfix

ftp://ftp.f-secure.com/support/hotfix/fsss/FSESS1100-HF01-signed.jar
F-Secure E-mail and Server Security Premium 11.00 Hotfix:
ftp://ftp.f-secure.com/support/hotfix/fsss/FSESSPR1100-HF01-signed.fsfix

ftp://ftp.f-secure.com/support/hotfix/fsss/FSESSPR1100-HF01-signed.jar
F-Secure Server Security 10.x - 11.00

Hotfix:
ftp://ftp.f-secure.com/support/hotfix/fsss/FSSS1100-HF01-signed.fsfix

ftp://ftp.f-secure.com/support/hotfix/fsss/FSSS1100-HF01-signed.jar

F-Secure Server Security Premium 11.00

Hotfix:
ftp://ftp.f-secure.com/support/hotfix/fsss/FSSSPR1100-HF01-signed.fsfix

ftp://ftp.f-secure.com/support/hotfix/fsss/FSSSPR1100-HF01-signed.jar


 

Applying Hotfixes

Standalone computers:

  1. Double-click on the downloaded .fsfix file and follow the instructions.


Centrally managed computers:

  1. In F-Secure Policy Manager Console, select Installation tab. Import the downloaded jar file.
  2. Select appropriate domain or host.
  3. Under "Installed products summary", use "hotfix" action for F-Secure E-Mail and Server Security product.
  4. Select this hotfix and distribute policies.

 

15th April

  1. Added F-Secure Community to list of affected platforms.
  2. Added F-Secure MyAccount portal to list of affected platforms.
  3. Added remediation guidance to users for F-Secure MyAccount portal.
  4. Revised guidance for F-Secure Messaging Secure Gateway, F-Secure Server Security and F-Secure Server and E-mail Security.
  5. Added download URL for detailed guidance documents for corporate products.

 

Date Issued: 2014-04-11
Date Last Updated: 2014-04-17

 

Get
Support

For documentation and product support,
visit our support site.

Learn More

F-Secure Community

Give advice. Get advice. Share the knowledge
on our free discussion forum.

Visit Now