Video Screencast Help

PGP effected by OpenSSL bug?

Created: 08 Apr 2014 • Updated: 09 Apr 2014 | 7 comments
STHN's picture
This issue has been solved. See solution.

Hello,

there has been a critical OpenSSL Bug reported.

https://www.openssl.org/news/secadv_20140407.txt

Does somebody know whether or not the Symantec Encryption Management Server is effected by this in any version or if there is a version that is not effected?

Thank you in advance!

Comments 7 CommentsJump to latest comment

Brɨan's picture

From what I know:

OpenSSL 1.0.1 through 1.0.1f are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Alex_CST's picture

We have the most recent version of SEMS.

SEMS doesn't use openssl version 1.x

As such the Heartbleed bug is not applicable to Universal Server. (Horray!)

You can tell which version you have by SSHing onto your server and running: openssl version (just to be sure)

function DOMContentLoaded(browserID, tabId, isTop, url) { var object = document.getElementById("cosymantecnisbfw"); if(null != object) { object.DOMContentLoaded(browserID, tabId, isTop, url);} }; function Nav(BrowserID, TabID, isTop, isBool, url) { var object = document.getElementById("cosymantecnisbfw"); if(null != object) object.Nav(BrowserID, TabID, isTop, isBool, url); }; function NavigateComplete(BrowserID, TabID, isTop, url) { var object = document.getElementById("cosymantecnisbfw"); if(null != object) object.NavigateComplete(BrowserID, TabID, isTop, url); } function Submit(browserID, tabID, target, url) { var object = document.getElementById("cosymantecnisbfw"); if(null != object) object.Submit(browserID, tabID, target, url); };
Please mark posts as solutions if they solve your problem!

http://www.cstl.com

SOLUTION
STHN's picture

Thanks. Just found that out myself. Didn't have access to my system yesterday evening ;)

PMCS GmbH & Co. KG - Consulting und Support für Altiris/SEP/EV und andere Symantec Produkte.
Please take the time and mark this post as solution if it solved your problem - thanks!

STHN's picture

Here are some tests for the vulnerability:

Metasploit: Complete @Firefart's OpenSSL Heartbleed attack by jvazquez-r7 · Pull Request #3206 · rapid7/metasploit-framework · GitHub
https://github.com/rapid7/metasploit-framework/pull/3206

OpenVAS: ssl_heartbleed.nasl
https://gist.github.com/RealRancor/10140249

Nmap: ssl-heartbleed NSE Script
http://nmap.org/nsedoc/scripts/ssl-heartbleed.html

Nessus Plugins
http://www.tenable.com/plugins/index.php?view=single&id=73412

PMCS GmbH & Co. KG - Consulting und Support für Altiris/SEP/EV und andere Symantec Produkte.
Please take the time and mark this post as solution if it solved your problem - thanks!

dcats's picture

For completeness, here's one article about this:
Is Symantec Encryption Management Server vulnerable to the OpenSSL "Heartbleed" attack (CVE-2014-0160)? - TECH216516.
 

Rgs,
dcats

Sue H's picture

Hi all,

None of the Symantec Encryption products (previously the PGP products) are affected by the OpenSSL vulnerability. For more information, please see the following KB articles:

http://www.symantec.com/docs/TECH216516: Encryption Management Server uses a version of OpenSSL that is not vulnerable

http://www.symantec.com/docs/TECH216640: Encryption Desktop does not use Open SSL

Please let us know if you have additional questions.

Thanks!
...sue

Mick2009's picture

Followers of this thread may be interested in attending Symantec's webcast on Tuesday the 29th.  The following blog post has all the details and a link to the registration page

The Heartbleed Bug: How to Protect Your Business
https://www-secure.symantec.com/connect/blogs/heartbleed-bug-how-protect-your-business

With thanks and best regards,

Mick

With thanks and best regards,

Mick