Security Advisories

FSC-2014-1: Notice on OpenSSL 'Heartbleed' Vulnerability

Description

HeartBleed is a critical security vulnerability (CVE-2014-0160) in the OpenSSL cryptographic library, which is widely used by online sites and web-based services to provide secure connections. The vulnerability potentially allows an attacker to silently read information from the memory of a server. This means highly confidential information, such as web server private keys and user passwords, could be copied by an attacker.

This advisory will be updated as additional information becomes available.

Affected Products

Risk Level (Low/Medium/High/Critical) Critical

Corporate products:

F-Secure Server Security / E-mail and Server Security 10.x – 11
PSB Server Security / Email Server Security 10.00
F-Secure Messaging Secure Gateway 7.5
Protection Service for Email 7.5

Consumer products:

F-Secure Search
Safe Profile
F-Secure Key
F-Secure Freedome
F-Secure Lokki

Platforms

Risk Level (Low/Medium/High/Critical) Critical

Consumer platforms:

F-Secure Community
F-Secure SAFE Portal
F-Secure MyAccount Portal
Safe Avenue
Anti-Theft Portal

More Information

The following products and platforms are affected and already patched.

Products and platforms not listed in this advisory are NOT affected by Heartbleed.

Product/Platform	Requires user action? (Yes/No)	Remarks
F-Secure Community	No
F-Secure SAFE Portal	Yes	Since F-Secure SAFE portal requires a web log-in (MYSafe), we suggest you change your passwords as we suggest to do with any other online services. Log-in to SAFE portal at https://mysafe.f-secure.com/login Change your password on the tab "Account details".
F-Secure MYAccount Portal	Yes	Log-in to MyAccount portal at https://shop.f-secure.com/cgi-bin/shop/ml=EN?mode=info Change your account password.
SAFE Avenue	Yes
Safe Profile	Yes
F-Secure Search	Yes
F-Secure Key	No	F-Secure Key servers were affected by the vulnerability, however all data stored in F-Secure Key is safe. Data can only be accessed on users device and users do not have to change their Master Password because of the Heartbleed vulnerability.
F-Secure Freedome	No
F-Secure Messaging Secure Gateway 7.5	No	Verify that patch has been installed. Instruct administrator to generate certificate request (CSR) or self-signed certificate. Change the password for the administrators account.
Protection Service for Email 7.5	Yes	Verify that patch has been installed. Change the password for the administrators account.
F-Secure Server Security	Yes	Download and apply corresponding hotfix. See "Fix Available" section. Create a new server self-signed certificate by using makecert.bat Windows Batch File. It can be found in F-Secure\Web User Interface\Bin folder. Change passwords for accounts used to login to the Web User Interface.
F-Secure E-mail and Server Security	Yes	Download and apply corresponding hotfix. See "Fix Available" section. Create a new server self-signed certificate by using makecert.bat Windows Batch File. It can be found in F-Secure\Web User Interface\Bin folder. Change passwords for accounts used to login to the Web User Interface.
F-Secure PSB Server Security	Yes	PSB ESS 10.00 MF1 which addresses HeartBleed vulnerability (CVE-2014-0160) will be available starting from today 14th April 2014 via channel upgrade. It is recommended that on top of this multifix users should regenerate their certificates and change their passwords at the endpoint. Create a new server self-signed certificate by using makecert.bat Windows Batch File. It can be found in F-Secure\Web User Interface\Bin folder. Change passwords for accounts used to login to the Web User Interface.
F-Secure PSB E-mail and Server Security	Yes	PSB ESS 10.00 MF1 which addresses HeartBleed vulnerability (CVE-2014-0160) will be available starting from today 14th April 2014 via channel upgrade. It is recommended that on top of this multifix users should regenerate their certificates and change their passwords at the endpoint. Create a new server self-signed certificate by using makecert.bat Windows Batch File. It can be found in F-Secure\Web User Interface\Bin folder. Change passwords for accounts used to login to the Web User Interface.
Anti-Theft Portal	Yes	Change all user passwords.
F-Secure Lokki	No

Fix Available

Product	Versions	Download
F-Secure E-mail and Server Security	10.x - 11.00	Hotfix: ftp://ftp.f-secure.com/support/hotfix/fsss/FSESS1100-HF01-signed.fsfix ftp://ftp.f-secure.com/support/hotfix/fsss/FSESS1100-HF01-signed.jar
F-Secure E-mail and Server Security Premium	11.00	Hotfix: ftp://ftp.f-secure.com/support/hotfix/fsss/FSESSPR1100-HF01-signed.fsfix ftp://ftp.f-secure.com/support/hotfix/fsss/FSESSPR1100-HF01-signed.jar
F-Secure Server Security	10.x - 11.00	Hotfix: ftp://ftp.f-secure.com/support/hotfix/fsss/FSSS1100-HF01-signed.fsfix ftp://ftp.f-secure.com/support/hotfix/fsss/FSSS1100-HF01-signed.jar
F-Secure Server Security Premium	11.00	Hotfix: ftp://ftp.f-secure.com/support/hotfix/fsss/FSSSPR1100-HF01-signed.fsfix ftp://ftp.f-secure.com/support/hotfix/fsss/FSSSPR1100-HF01-signed.jar

Applying Hotfixes

Standalone computers:

Double-click on the downloaded .fsfix file and follow the instructions.

Centrally managed computers:

In F-Secure Policy Manager Console, select Installation tab. Import the downloaded jar file.
Select appropriate domain or host.
Under "Installed products summary", use "hotfix" action for F-Secure E-Mail and Server Security product.
Select this hotfix and distribute policies.

Advisory Changes

Date	Changes
11th April 2014	First advisory published.
15th April 2014	Added F-Secure Community to list of affected platforms. Added F-Secure MyAccount portal to list of affected platforms. Added remediation guidance to users for F-Secure MyAccount portal. Revised guidance for F-Secure Messaging Secure Gateway, F-Secure Server Security and F-Secure Server and E-mail Security. Added download URL for detailed guidance documents for corporate products.

Date Issued: 2014-04-11
Date Last Updated: 2014-04-17