Security Bulletin: IBM Endpoint Manager 9.1.1065 - OpenSSL TLS Heartbeat Read Overrun Vulnerability

(imported topic written by GreenEagleLeader)

There is an OpenSSL vulnerability that could allow an attacker to compromise

the IBM Endpoint Manager root server signing key. Both Windows and Linux

server deployments are affected. Note that the site admin key cannot be

compromised using this vulnerability.

IMMEDIATE ACTIONS:

  • If you are using Endpoint Manager 9.0 or earlier, you are unaffected. You

    should delay upgrading to 9.1 until a patch is released. We have removed the

    9.1 upgrade fixlets from BES Support.

  • If you are using Endpoint Manager 9.1, you can mitigate your exposure to

    this vulnerability by taking the following steps until a 9.1 patch is

    released:

    1. Limit network access to the root server to only trusted hosts.

    2. Rotate the server signing key on the root server on a regular basis [a].

    3. If any custom HTTPS keys are being used in the root server or web

    reports, those keys should also be rotated.

    1. Avoid sending any sensitive data via mailboxes or secure parameters to

    relays or the root server.

    1. Consider temporarily disconnecting any internet-facing relays.

[a] http://www-01.ibm.com/support/docview.wss?uid=swg21669587

BACKGROUND:

An OpenSSL vulnerability was announced today in versions 1.0.1 and 1.0.2 of

OpenSSL. This vulnerability is officially named "TLS heartbeat read overrun

(CVE-2014-0160)" and has come to be colloquially named “The Heartbleed Bug”.

Official advisory : http://www.openssl.org/news/secadv_20140407.txt

More details : http://heartbleed.com

Any software that uses an affected version of OpenSSL and is a TLS server is

vulnerable.

This vulnerability affects IBM Endpoint Manager version 9.1. Other versions of

Endpoint Manager (9.0.* and earlier) are not affected by this vulnerability

because they use an earlier version of OpenSSL.

IMPACT:

This vulnerability impacts IBM Endpoint Manager in several ways. An attacker

that can send network requests to the root server can read the root server’s

memory and obtain the server signing private key. This key could be used, as

part of a man-in-the-middle attack, to impersonate the root server and obtain

console login credentials. It can also be used to forge actions that agents

will accept as authentic.

An attacker that can send network requests to a 9.1 relay can read the relay’s

memory and obtain the private key of the agent on the relay machine. This key

can be used to read the contents of mailboxes and secure parameters sent to

the target agent. It can also be used to impersonate reports from the agent

that the server will accept as genuine.

If you are using any custom SSL certificates for a 9.1 root server or web

reports server, the private keys for those certificates could be compromised.

If you are using these keys on any other systems, you should rotate them

immediately.

REMEDIATION:

The IBM Endpoint Manager team is working on a patch release that will fix this

vulnerability. We will make this patch available as soon as possible, and we

recommend that you make plans to upgrade from 9.1 to the patch release as soon

as it is available.