HIRT-PUB14005: OpenSSL TLS heartbeat extension read overrun issue in Hitachi products: Hitachi Incident Response Team : Hitachi Global

(VU#720951, CVE-2014-0160)

Last Updated: May 12, 2014

1. Overview

OpenSSL 1.0.1 contains a vulnerability that could disclose sensitive private information to an attacker. This vulnerability is commonly referred to as "heartbleed."

CVSS Severity

Base Metrics: 5.0
  Access Vector: Network
  Access Complexity: Low
  Authentication: None
  Confidentiality Impact: Partial
  Integrity Impact: None
  Availability Impact: None

Temporal Metrics 4.1 (April 16, 2014)
  Exploitablity: Functional exploit exists
  Remediation Level: Official fix
  Report Confidence: Confirmed

http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N/E:F/RL:OF/RC:C)

2. Affected Systems

+ OpenSSL 1.0.1 to 1.0.1f
+ OpenSSL 1.0.2-beta to 1.0.2-beta1
+ Hitachi Products that use OpenSSL

3. Impact

By attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys or session IDs.

4. Solution

Apply an update

This issue is addressed in OpenSSL 1.0.1g. Please refer to the advisories of each product.

Any system that may have exposed this vulnerability should regenerate any sensitive information (secret keys, passwords, etc.) with the assumption that an attacker has already used this vulnerability to obtain those items.
#1: New Keys: For all affected systems, acquire new key certificates, revoke your old ones and install the new ones.
#2: Change Passwords: Once you have patched your systems, changed your keys, ensure that your systems also accomplished those tasks, then it is time to change the passwords for all users on those systems. Do not do this until everything else is done.

5. Product Information

May 9, 2014

+ Control Server & Controller: RS90 series, S10 series, HISEC series <Products Confirmed Not Vulnerable>
+ Industrial Computer: HF-W series <Products Confirmed Not Vulnerable>
+ Industrial Control Platform: HIACS-AZ series, PS21 series <Products Confirmed Not Vulnerable>
+ DCS Platform: HIACS series <Products Confirmed Not Vulnerable>

April 25, 2014

+ Hitachi Metals XLGMC/XGMC/GMC/GMX/eWAVE/BMC/GMA series <Products Confirmed Not Vulnerable>

HCVU000000011: Solution of OpenSSL Vulnerability [Japanese]

April 22, 2014

+ Hitachi IT Operations <Products Confirmed Not Vulnerable>

HWS14-003: Solution of OpenSSL Heartbeat Extension Vulnerability (CVE-2014-0160) [Japanese]

April 21, 2014

+ Virtage <Products Confirmed Not Vulnerable>
+ Virtage Navigator <Products Confirmed Not Vulnerable>
+ HVM Administration Command (HvmSh) <Products Confirmed Not Vulnerable>

Server/Client products: Solution of OpenSSL Heartbeat Extension Vulnerability (CVE-2014-0160) [Japanese]

+ Hitachi Advanced Server HA8000 series

Solution of OpenSSL Heartbeat Extension Vulnerability (CVE-2014-0160) in HA8000 series [Japanese]

+ BladeSymphony BS2000 series

Solution of OpenSSL Heartbeat Extension Vulnerability (CVE-2014-0160) in BS2000 series [Japanese]

+ BladeSymphony BS500 series

Solution of OpenSSL Heartbeat Extension Vulnerability (CVE-2014-0160) in BS500 series [Japanese]

April 18, 2014

+ JP1/VERITAS Backup Exec <Products Confirmed Not Vulnerable>
+ JP1/Hibun <Products Confirmed Not Vulnerable>
+ Hibun AE Full Disk Encryption <Products Confirmed Not Vulnerable>

HWS14-003: Solution of OpenSSL Heartbeat Extension Vulnerability (CVE-2014-0160) [Japanese]

+ JP1/VERITAS NetBackup

Solution of OpenSSL Heartbeat Extension Vulnerability (CVE-2014-0160) in JP1/VERITAS NetBackup [Japanese]

+ ALC NetAcademy2 <Products Confirmed Not Vulnerable>

Solution of OpenSSL Heartbeat Extension Vulnerability (CVE-2014-0160) [Japanese]

April 17, 2014

+ Router / Switch GS/GR series <Products Confirmed Not Vulnerable>
[GS3000/GS4000]
[GR2000/GR4000]

+ Hitachi Metals Switch Apresia series <Products Confirmed Not Vulnerable>

HCVU000000011: Solution of OpenSSL Vulnerability [Japanese]

+ (VSP) Hitachi Virtual Storage Platform
+ (HUS VM) Hitachi Unified Storage VM

Hitachi Data Systems Customer
Please log into https://portal.hds.com then click the following link to see our Product Affectivity Matrix.

Solution of OpenSSL Heartbeat Extension Vulnerability (CVE-2014-0160) in Storage Products [Japanese]

April 16, 2014

+ AlaxalA Networks AX series <Products Confirmed Not Vulnerable>
     [AX8600R/6700S/6600S/6300S, AX4600S/3800S/3600S/2400S]
     [AX7800R/7700R/7800S/5400S]
     [AX2500S/2200S/1200S]
     [AX620R]

April 14, 2014

+ Hitachi Open Middleware products <Products Confirmed Not Vulnerable>
+ Hitachi Command Suite (Storage and Server Administration) <Products Confirmed Not Vulnerable>

HWS14-003: Solution of OpenSSL Heartbeat Extension Vulnerability (CVE-2014-0160) [Japanese]

6. References

VU#720951: OpenSSL TLS heartbeat extension read overflow discloses sensitive information (2014-04-07)
http://www.kb.cert.org/vuls/id/720951

CVE-2014-0160
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

OpenSSL Security Advisory [07 Apr 2014] - TLS heartbeat read overrun (CVE-2014-0160)
http://www.openssl.org/news/secadv_20140407.txt

7. Update history

May 12, 2014

Updated: Product Information in "May 9 2014".

April 30, 2014

Updated: Product Information in "April 25 2014”.

April 23, 2014

Updated: Product Information in "April 21-22 2014".

April 19, 2014

Updated: Product Information in "April 18 2014".

April 18, 2014

Updated: Product Information in "April 17 2014".

April 17, 2014

This webpage was newly created and published.

Masato Terada (HIRT) and Naoko Ohnishi (HIRT)

HIRT-PUB14005: OpenSSL TLS heartbeat extension read overrun issue in Hitachi products

Related Links