Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Product Security

FSC-2014-1: Notice on OpenSSL 'Heartbleed' Vulnerability

 

Brief Description

HeartBleed is a critical security vulnerability (CVE-2014-0160) in the OpenSSL cryptographic library, which is widely used by online sites and web-based services to provide secure connections. The vulnerability potentially allows an attacker to silently read information from the memory of a server. This means highly confidential information, such as web server private keys and user passwords, could be copied by an attacker.

This advisory will be updated as additional information becomes available.

 

Products

Risk Level: CRITICAL (Low/Medium/High/Critical)

Corporate products

  • F-Secure Server Security / E-mail and Server Security 10.x – 11
  • PSB Server Security / Email Server Security 10.00
  • F-Secure Messaging Secure Gateway 7.5
  • Protection Service for Email 7.5

Consumer products

  • F-Secure Search
  • Safe Profile
  • F-Secure Key
  • F-Secure Freedome
  • F-Secure Lokki

 

Affected Platforms

Risk Level: CRITICAL (Low/Medium/High/Critical)

Consumer platforms:

  • F-Secure Community
  • F-Secure SAFE Portal
  • F-Secure MyAccount Portal
  • Safe Avenue
  • Anti-Theft Portal
     

Notes

The following products and platforms are affected and already patched.

Products and platforms not listed in this advisory are NOT affected by Heartbleed.
 

Product /Platform Requires User Action? (Y/N) Remarks
F-Secure Community  N  
F-Secure SAFE Portal  Y Since F-Secure SAFE portal requires a web log-in (MySafe), we suggest you change your passwords as we suggest to do with any other online services.
  1. Log-in to SAFE portal at https://mysafe.f-secure.com/login.
  2. Change your password on the tab “Account details”.
F-Secure MyAccount Portal Y
  1. Log-in to MyAccount portal at https://shop.f-secure.com/cgi-bin/shop/ml=EN?mode=info
  2. Change your account password.
 Safe Avenue  N  
 Safe Profile  N  
 F-Secure Search  N  
 F-Secure Key  N F-Secure Key servers were affected by the vulnerability, however all data stored in F-Secure Key is safe. Data can only be accessed on users device and users do not have to change their Master Password because of the Heartbleed vulnerability.
F-Secure Freedome  N
 
F-Secure Messaging Secure Gateway 7.5  Y
  1. Verify that patch has been installed.
  2. Instruct administrator to generate certificate request (CSR) or self-signed certificate.
  3. Change the password for the administrators account.

Detailed guidance can be found here: Guidance for OpenSSL vulnerability CVE-2014-0160 MSG and PSE.pdf

Protection Service for Email 7.5  Y
  1. Verify that patch has been installed.
  2. Change the password for the administrators account.
Detailed guidance can be found here: Guidance for OpenSSL vulnerability CVE-2014-0160 MSG and PSE.pdf
F-Secure Server Security  Y
  1. Download and apply corresponding hotfix. See “Fix Available” section.
  2. Create a new server self-signed certificate by using makecert.bat Windows Batch File. It can be found in F-Secure\Web User Interface\Bin folder.
  3. Change passwords for accounts used to login to the Web User Interface.

Detailed guidance can be found here: Guidance for OpenSSL vulnerability CVE-2014-0160 Email Server security - Server Security.pdf

F-Secure E-mail and Server Security  Y
  1. Download and apply corresponding hotfix. See “Fix Available” section.
  2. Create a new server self-signed certificate by using makecert.bat Windows Batch File. It can be found in F-Secure\Web User Interface\Bin folder.
  3. Change passwords for accounts used to login to the Web User Interface.

Detailed guidance can be found here: Guidance for OpenSSL vulnerability CVE-2014-0160 Email Server security - Server Security.pdf

F-Secure PSB Server Security  Y PSB ESS 10.00 MF1 which addresses HeartBleed vulnerability (CVE-2014-0160) will be available starting from today 14th April 2014 via channel upgrade. It is recommended that on top of this multifix users should regenerate their certificates and change their passwords at the endpoint.
  1. Create a new server self-signed certificate by using makecert.bat Windows Batch File. It can be found in F-Secure\Web User Interface\Bin folder.
  2. Change passwords for accounts used to login to the Web User Interface.

Detailed guidance can be found here: Guidance for OpenSSL vulnerability CVE-2014-0160 PSB Email Server security.pdf

F-Secure PSB E-mail and Server Security  Y PSB ESS 10.00 MF1 which addresses HeartBleed vulnerability (CVE-2014-0160) will be available starting from today 14th April 2014 via channel upgrade. It is recommended that on top of this multifix users should regenerate their certificates and change their passwords at the endpoint.
  1. Create a new server self-signed certificate by using makecert.bat Windows Batch File. It can be found in F-Secure\Web User Interface\Bin folder.
  2. Change passwords for accounts used to login to the Web User Interface.

Detailed guidance can be found here: Guidance for OpenSSL vulnerability CVE-2014-0160 PSB Email Server security.pdf

Anti-Theft Portal  Y
  1.  Change all user passwords.
 F-Secure Lokki  N  

 

Fix Available

Product Versions Download
F-Secure E-mail and Server Security 10.x - 11.00 Hotfix:
ftp://ftp.f-secure.com/support/hotfix/fsss/FSESS1100-HF01-signed.fsfix

ftp://ftp.f-secure.com/support/hotfix/fsss/FSESS1100-HF01-signed.jar
F-Secure E-mail and Server Security Premium 11.00 Hotfix:
ftp://ftp.f-secure.com/support/hotfix/fsss/FSESSPR1100-HF01-signed.fsfix

ftp://ftp.f-secure.com/support/hotfix/fsss/FSESSPR1100-HF01-signed.jar
F-Secure Server Security 10.x - 11.00

Hotfix:
ftp://ftp.f-secure.com/support/hotfix/fsss/FSSS1100-HF01-signed.fsfix

ftp://ftp.f-secure.com/support/hotfix/fsss/FSSS1100-HF01-signed.jar

F-Secure Server Security Premium 11.00

Hotfix:
ftp://ftp.f-secure.com/support/hotfix/fsss/FSSSPR1100-HF01-signed.fsfix

ftp://ftp.f-secure.com/support/hotfix/fsss/FSSSPR1100-HF01-signed.jar

 

Applying Hotfixes

Standalone computers:

  1. Double-click on the downloaded .fsfix file and follow the instructions.


Centrally managed computers:

  1. In F-Secure Policy Manager Console, select Installation tab. Import the downloaded jar file.
  2. Select appropriate domain or host.
  3. Under "Installed products summary", use "hotfix" action for F-Secure E-Mail and Server Security product.
  4. Select this hotfix and distribute policies.


 

 

Advisory Changes

Date Changes
11th April First advisory published.
14th April
  1. Added hotfix download URL for affected corporate products.
  2. Added remediation guidance to users for F-Secure Server Security, F-Secure E-mail and Server Security, F-Secure PSB Server Security and F-Secure PSB E-mail and Server Security.
  3. Added F-Secure SAFE portal to list of affected platforms.
  4. Added remediation guidance to users for F-Secure SAFE portal.
  5. Segmented products and platforms to avoid confusion.
15th April
  1. Added F-Secure Community to list of affected platforms.
  2. Added F-Secure MyAccount portal to list of affected platforms.
  3. Added remediation guidance to users for F-Secure MyAccount portal.
  4. Revised guidance for F-Secure Messaging Secure Gateway, F-Secure Server Security and F-Secure Server and E-mail Security.
  5. Added download URL for detailed guidance documents for corporate products.
17th April  Updated Notes section to clarify that non-listed products and platforms are not affected by this vulnerability.

 

Date Issued: 2014-04-11
Date Last Updated: 2014-04-17

Get Support online

For documentation and product support, visit our Support site.