CVE-2014-0160 aka the HeartBleed bug

Version 32

    Verified Product Versions

    Endpoint Manager 9.5

    LANDESK is aware of the vulnerability inside of OpenSSL and we are currently in the process of investigating it. We will update this document with further information as we have it.  We appreciate your patience.

     

    As updates are available, including any additional information about how this vulnerability affects LANDESK products and progress for any updates or patches, it will be added to this document.

     

    Latest Updates

     

    Resolution of known issue with ShutdownReboot.dll - May 14, 2014 (3:30PM MDT)

    LANDESK has a non-FIPS compliant patch to resolve the right click issue with ShutdownReboot.dll. If you are experiencing this issue please raise a case with support to obtain the patch. This is a Core side patch and will require a reboot. We are working on a FIPS compliant patch for the next component patch.

     

    Known issue - May 6, 2014 (1:00PM MDT)

    LANDESK is aware of an issue that is affecting some customers who apply LD95-CP_BASE-2014-0417. The issue causes some functionality on the right click menu to not function. They are the 'run now' type of functions such as running an inventory scan, or a vulnerability scan etc. When these options are selected, an error about loading ShutdownReboot.dll will appear in the 'Status of requested actions' window. LANDESK is currently investigating this issue. This does not affect other functionality such as Scheduled Tasks to run scans or otherwise, and is not affecting all customers who have applied the patch.

     

    April 25, 2014 (4:00PM MDT)

    The patch for the LDMS 9.5 SP2 Core Server is now available for download. It is contained in the latest Component Patch - LD95-CP_BASE-2014-0417. More information about the Component Patch can be found here: LDMS 9.5 Sustaining Patch Information. This patch is also available through LANDESK Updates in the Patch and Compliance tool.

     

    2014-04-28_5-30-44.jpg

     

    2014-04-28_5-33-11.jpg

     

    Note that this patch is for LDMS 9.5 SP2 only. LANDESK recommends that all customers be on the latest version of Management Suite so that you can receive the latest security updates as soon as they are made available.

     

    April 23, 2014 (11:00AM MDT)

     

    LANDESK is finishing up testing on the patch for LDMS 9.5 SP2 Core Server to address HeartBleed. It should be available to customers by Friday, (25 April). The fix is included in the next Component Patch. Watch this document for further updates.

     

    April 17, 2014 (7:02AM MDT)

     

    LANDESK has released the client-side patch in content. http://community.landesk.com/support/docs/DOC-31434 has been created with instructions for pushing this patch to client systems.

     

    April 16, 2014 (5:40PM MDT)

     

    LANDESK has completed testing for a client-only patch to address vulnerabilities on client machines. It will be made available to customers tonight or early tomorrow. The patch will appear as a LANDESK Update in the Patch Managment tool. A download will also be available. The patch will apply to all affected LANDESK Client versions - 9.5.0, 9.5 SP1 and 9.5 SP2. LANDESK is continuing to work on updates to address additional areas on the Core Server.

     

    April 15, 2014 (10:00AM MDT)

     

    LANDESK releases the patch to resolve the vulnerability on the Cloud Services Appliance.

     

    April 14, 2014

     

    LANDESK has been able to create a patch for the Cloud Services Appliance that is undergoing testing. This has moved quicker than we have expected and a patch should be released soon.  We are continuing to test solutions for this vulnerability on our Core and Client systems.  We have run into some complications in this testing with the functionality once creating a fix for “Heartbleed”, which is delaying the release of a patch.

     

    April 11, 2014

     

    We have continued to review our entire product line and have been able to narrow down exactly which versions of LANDESK Management Suite are vulnerable to “Heartbleed”.  Our continuing research of our Service Desk, Mobility, and Shavlik solutions to determine that there aren’t any issues exist within these products. LANDESK issues statement on “Heartbleed” at http://www.landesk.com/blog/heartbleed-landesk-portfolio/.

     

    April 10, 2014

     

    As our research continued, so did the information that we have been able to uncover regarding this vulnerability.  Additional details around how this is affecting customers using our products have been added to this document.  Our development teams continue to investigate and have determined how we can get our Cloud Services Appliance fixed.  We have been given an ETA of 04/18/2014.

     

    April 9, 2014

     

    Our development teams along with Support are continuing our investigation into this vulnerability. We are determining what kind of information is made available through this exploit within our products.  The ways that this affects LANDESK products has been added to the document.

     

    April 8, 2014

     

    LANDESK is aware of and currently investigating the OpenSSL vulnerability known as “Heartbleed”. Updates will be provided to customers through this document.

     

    What is this vulnerability?

    There is a bug in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.

     

    From CVE: "The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug."

     

    For more information, please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 and http://heartbleed.com/

     

    How does this affect LANDESK?

    Affected Product(s)

    LANDESK Management Suite / Security Suite 9.5 and later

    LANDESK Cloud Services Appliance 4.3 and later

     

    Non-Affected Product(s)

    LANDESK Management Suite 9.0 and earlier (uses prior, unaffected version of OpenSSL)

    LANDESK Cloud Services Appliance 4.2 which uses openssl-0.9.8k

    LANDESK Asset Lifecycle Manager

    LANDESK Service Desk, including Service Desk as a Service (SDaas)

    Mobility products including Wavelink, Avalanche on Demand, and LANDESK Mobility Management

         For more information and details about Wavelink products please see: CVE-2014-0160 aka the HeartBleed bug (Wavelink)

    Shavlik Products

    Other LANDESK Cloud Services

     

    Additionally, none of the LANDESK customer or partner-facing websites are impacted by this vulnerability.

     

    More Details

    The following outlines additional details about affected products, services and updates

     

    Internal Network(s)

    LANDESK Management Suite Core Server

    Can potentialy impact communication between the Core and the Cloud Services Appliance. See below for more information about the CSA

    Communication via IIS is not affected.

    A Component Patch for LDMS 9.5 SP2 is now available. Please see the download links above. It will be released in Patch Content in the next few days.


    Package Server

    Any package server being used by LANDESK that might use OpenSSL could be affected. An Apache web server or NAS device for example. Please check with the appropriate party for an update to these applications or servers.

    LANDESK will not be producing any update or change to address any third party applications or servers.

     

    LANDESK Management Suite Client

    The vulnerable OpenSSL libraries are used in the LANDESK CBA Client and Remote Control components. However these services operate on non-standard ports. There is also an additional layer of protection afforded by the authentication these services require.

    The CBA/Resident Agent components respond to "push" requests from the Core Server to perform certain tasks. These tasks can include inventory scans, software deployments, patching, custom scripts and others. For these requests, additional threads and processes are used, thus limiting the memory available to this vulnerability. The private key for these interactions is stored on the Core Server. LANDESK has been unable find any instance where the private key or user credentials are sent to the Resident Agent.

    LANDESK has released LD-CR131352-95 in content.  Please read http://community.landesk.com/support/docs/DOC-31434 for further instruction on deploying this patch.

     

     

    External Network(s)

    Cloud Services Appliance

    All data on the Cloud Services Appliance is encrypted using SHA1. The data that could be exposed through this vulnerability will not grant access to usernames, passwords or private keys.

    CSA patch GSB431_137 is being posted to the servers and will be available today 04/15/2014.

     

    - LANDESK Support