UK
Security Advisories

FSC-2014-1: Notice on OpenSSL 'Heartbleed' Vulnerability

Description

HeartBleed is a critical security vulnerability (CVE-2014-0160) in the OpenSSL cryptographic library, which is widely used by online sites and web-based services to provide secure connections. The vulnerability potentially allows an attacker to silently read information from the memory of a server. This means highly confidential information, such as web server private keys and user passwords, could be copied by an attacker.

This advisory will be updated as additional information becomes available.

Affected Products

  • Risk Level (Low/Medium/High/Critical) Critical

Corporate products:

  • F-Secure Server Security / E-mail and Server Security 10.x – 11
  • PSB Server Security / Email Server Security 10.00
  • F-Secure Messaging Secure Gateway 7.5
  • Protection Service for Email 7.5

Consumer products:

  • F-Secure Search
  • Safe Profile
  • F-Secure Key
  • F-Secure Freedome
  • F-Secure Lokki

Platforms

  • Risk Level (Low/Medium/High/Critical) Critical

Consumer platforms:

  • F-Secure Community
  • F-Secure SAFE Portal
  • F-Secure MyAccount Portal
  • Safe Avenue
  • Anti-Theft Portal

More Information

The following products and platforms are affected and already patched.

Products and platforms not listed in this advisory are NOT affected by Heartbleed.

Product/Platform Requires user action? (Yes/No) Remarks
F-Secure Community No  
F-Secure SAFE Portal Yes

Since F-Secure SAFE portal requires a web log-in (MYSafe), we suggest you change your passwords as we suggest to do with any other online services. 

 

  1. Log-in to SAFE portal at https://mysafe.f-secure.com/login
  2. Change your password on the tab "Account details".

 
F-Secure MYAccount Portal Yes
  1. Log-in to MyAccount portal at https://shop.f-secure.com/cgi-bin/shop/ml=EN?mode=info
  2. Change your account password.
SAFE Avenue

 Yes  
Safe Profile Yes  
F-Secure Search
 Yes  
F-Secure Key No F-Secure Key servers were affected by the vulnerability, however all data stored in F-Secure Key is safe. Data can only be accessed on users device and users do not have to change their Master Password because of the Heartbleed vulnerability.
F-Secure Freedome No  
F-Secure Messaging Secure Gateway 7.5 No
  1. Verify that patch has been installed.
  2. Instruct administrator to generate certificate request (CSR) or self-signed certificate.
  3. Change the password for the administrators account.

Detailed guidance can be found here: Guidance for OpenSSL vulnerability CVE-2014-0160 MSG and PSE.pdf
Protection Service for Email 7.5 Yes
  1. Verify that patch has been installed.
  2. Change the password for the administrators account.

Detailed guidance can be found here: Guidance for OpenSSL vulnerability CVE-2014-0160 MSG and PSE.pdf
F-Secure Server Security Yes
  1. Download and apply corresponding hotfix. See "Fix Available" section.
  2. Create a new server self-signed certificate by using makecert.bat Windows Batch File. It can be found in F-Secure\Web User Interface\Bin folder.
  3. Change passwords for accounts used to login to the Web User Interface.

Detailed guidance can be found here: Guidance for OpenSSL vulnerability CVE-2014-0160 Email Server security - Server Security.pdf
F-Secure E-mail and Server Security Yes
  1. Download and apply corresponding hotfix. See "Fix Available" section.
  2. Create a new server self-signed certificate by using makecert.bat Windows Batch File. It can be found in F-Secure\Web User Interface\Bin folder.
  3. Change passwords for accounts used to login to the Web User Interface.

Detailed guidance can be found here: Guidance for OpenSSL vulnerability CVE-2014-0160 Email Server security - Server Security.pdf
F-Secure PSB Server Security Yes

PSB ESS 10.00 MF1 which addresses HeartBleed vulnerability (CVE-2014-0160) will be available starting from today 14th April 2014 via channel upgrade. It is recommended that on top of this multifix users should regenerate their certificates and change their passwords at the endpoint.

  1. Create a new server self-signed certificate by using makecert.bat Windows Batch File. It can be found in F-Secure\Web User Interface\Bin folder.
  2. Change passwords for accounts used to login to the Web User Interface.

Detailed guidance can be found here: Guidance for OpenSSL vulnerability CVE-2014-0160 PSB Email Server security.pdf
F-Secure PSB E-mail and Server Security Yes

PSB ESS 10.00 MF1 which addresses HeartBleed vulnerability (CVE-2014-0160) will be available starting from today 14th April 2014 via channel upgrade. It is recommended that on top of this multifix users should regenerate their certificates and change their passwords at the endpoint.

  1. Create a new server self-signed certificate by using makecert.bat Windows Batch File. It can be found in F-Secure\Web User Interface\Bin folder.
  2. Change passwords for accounts used to login to the Web User Interface.

Detailed guidance can be found here: Guidance for OpenSSL vulnerability CVE-2014-0160 PSB Email Server security.pdf
Anti-Theft Portal Yes Change all user passwords.
F-Secure Lokki No  

Fix Available

Product Versions Download
F-Secure E-mail and Server Security 10.x - 11.00

 Hotfix:
ftp://ftp.f-secure.com/support/hotfix/fsss/FSESS1100-HF01-signed.fsfix

ftp://ftp.f-secure.com/support/hotfix/fsss/FSESS1100-HF01-signed.jar
F-Secure E-mail and Server Security Premium

 11.00 Hotfix:
ftp://ftp.f-secure.com/support/hotfix/fsss/FSESSPR1100-HF01-signed.fsfix

ftp://ftp.f-secure.com/support/hotfix/fsss/FSESSPR1100-HF01-signed.jar
F-Secure Server Security

 10.x - 11.00

Hotfix:
ftp://ftp.f-secure.com/support/hotfix/fsss/FSSS1100-HF01-signed.fsfix

ftp://ftp.f-secure.com/support/hotfix/fsss/FSSS1100-HF01-signed.jar
F-Secure Server Security Premium

 11.00

Hotfix:
ftp://ftp.f-secure.com/support/hotfix/fsss/FSSSPR1100-HF01-signed.fsfix

ftp://ftp.f-secure.com/support/hotfix/fsss/FSSSPR1100-HF01-signed.jar

Applying Hotfixes

Standalone computers:

  1. Double-click on the downloaded .fsfix file and follow the instructions.

Centrally managed computers:

  1. In F-Secure Policy Manager Console, select Installation tab. Import the downloaded jar file.
  2. Select appropriate domain or host.
  3. Under "Installed products summary", use "hotfix" action for F-Secure E-Mail and Server Security product.
  4. Select this hotfix and distribute policies.

Advisory Changes

Date Changes
11th April 2014 First advisory published. 
15th April 2014
  1. Added F-Secure Community to list of affected platforms.
  2. Added F-Secure MyAccount portal to list of affected platforms.
  3. Added remediation guidance to users for F-Secure MyAccount portal.
  4. Revised guidance for F-Secure Messaging Secure Gateway, F-Secure Server Security and F-Secure Server and E-mail Security.
  5. Added download URL for detailed guidance documents for corporate products.

Date Issued: 2014-04-11
Date Last Updated: 2014-04-17