Moka5 and the Heartbleed Open SSL Vulnerability
« Go Back
Background On April 7, 2014, security researchers announced a vulnerability in the popular OpenSSL cryptographic library. This vulnerability, nicknamed “Heartbleed,” allows malicious third parties to read the memory of processes using vulnerable versions of the OpenSSL library. For example, a third party might exploit this issue to discover passwords or keys on a computer that uses a vulnerable version of OpenSSL, and then use the information obtained to access privileged data on the computer.
This vulnerability affects certain versions of OpenSSL, specifically versions 1.0.1 through 1.0.1f. Moka5 software uses OpenSSL. Summary · Moka5 does not currently use vulnerable versions of OpenSSL in our infrastructure. The M5 console and server components are not vulnerable. · VMware Fusion 6 is vulnerable to Heartbleed, but the circumstances under which this vulnerability could affect a Moka5 deployment are very rare. This vulnerability is fixed in 3.19.3 and 4.0.1. · BareMetal versions 3.19.1 and earlier are vulnerable to Heartbleed. We have released 3.19.2 to address this vulnerability. See the “BareMetal and Heartbleed” section for more details. VMware Fusion 6 and Heartbleed On April 10th, VMware released a Security Alert and Knowledge Base article disclosing that VMware Fusion 6 is vulnerable to Heartbleed. The Moka5 3.19.3 and 4.0.1 patches includes VMware Fusion 6.0.3, which is protected against the Heartbleed vulnerability. If you are running Moka5 3.19.2 or earlier, or Moka5 4.0, we strongly recommend updating your installation to 3.19.3 or 4.0.1.
Moka5 versions 3.18, 3.19, and 4.0 do deploy and manage Fusion 6 on OS X platforms. By default, Fusion managed by Moka5 is not vulnerable, however it is technically possible under unlikely circumstances that an attacker could exploit the vulnerability in Fusion to read memory from the Fusion process. LivePC memory is in a separate process, and is therefore not vulnerable to this attack.
For an attacker to exploit this vulnerability in Fusion on a Moka5 host computer the following conditions must exist: · The host computer must be OS X with an M5 version 3.18.x, 3.19.x, or 4.0 client · VMware’s server that Fusion contacts for software updates has been compromised or there is a malicious “man in the middle” server masquerading as this server · A Moka5 OS X end-user has manually enabled the Fusion option to “Automatically check for updates” via the Fusion preferences, or manually selects “Check for Updates…” from the VMware Fusion menu OR · The host computer must be OS X with an M5 version 3.18.x, 3.19.x, or 4.0 client · VMware’s server that Fusion contacts to report system data and usage statistics has been compromised or there is a malicious “man in the middle” server masquerading as this server · A Moka5 OS X end-user has manually enabled Fusion to “Send anonymous system data and usage statistics” via the Fusion preferences By default, Moka5 disables the Fusion options to “Automatically check for updates”, and to “Send anonymous system data and usage statistics.” In addition, Moka5 resets these options to “off” each time a LivePC is started, even if they were manually enabled by the user.
Recent VMware Fusion connection activity with VMware servers can be determined by inspecting the Fusion logs on the host in ~/Library/Logs/VMware Fusion/ and filtering for connections to “softwareupdate.VMware.com” or “ueip.VMware.com”. BareMetal and Heartbleed BareMetal 3.19.1 and earlier use versions of the OpenSSL library that are vulnerable to Heartbleed. For an attacker to exploit this vulnerability in BareMetal the following conditions must exist: · The host computer must be an M5 BareMetal client of a version prior to 3.19.1 · There is a malicious “man in the middle” server masquerading as a MokaFive Management Server, Image Store, or Replica The Moka5 3.19.2 patch upgrades the library and removes the vulnerability. If you are a BareMetal customer running Moka5 3.19.1 or earlier, we strongly recommend updating your installation to 3.19.2 or higher. You can download the patch from our Customer Service Portal.
To learn more, read the updated Release Notes.
More Information If you are interested in learning more about Heartbleed, you can find more information at the links below: · http://heartbleed.com/ · http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/ · https://www.openssl.org/news/secadv_20140407.txt
|
|
|