LANDESK is aware of the vulnerability inside of OpenSSL and we are currently finishing the the process of publishing a patch for it. We will update this document with further information as we have it. We appreciate your patience.
As updates are available, including any additional information about how this vulnerability affects LANDESK products and progress for any updates or patches, it will be added to this document.
Latest Updates
Resolution of Known issue - June 9, 2014 (1:00PM MDT)
LANDESK released a patch for the Cloud Services Appliance and is available. This patch updates OpenSSL to the latest version that isn't susceptible to this vulnerability.
June 13, 2014 (4:00PM MDT)
LANDESK has been testing the latest version of OpenSSL in the Management Suite product to verify that there will not be any adverse affects to the product by using this version.
June 7, 2014 (4:00PM MDT)
LANDESK is aware of the OpenSSL vulnerability CVE-2014-0224, or Man in the Middle attack. LANDESK is already working on a patch for the Cloud Services Appliance and LANDESK Management Suite
What is this vulnerability?
From CVE: "OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability."
For more information, please see CVE -CVE-2014-0224
How does this affect LANDESK?
Affected Product(s)
LANDESK Management Suite / Security Suite 9.0 and later
LANDESK Cloud Services Appliance 4.2 and later
Non-Affected Product(s)
LANDESK Asset Lifecycle Manager
LANDESK Service Desk, including Service Desk as a Service (SDaas)
Mobility products including Wavelink, Avalanche on Demand, and LANDESK Mobility Management
Shavlik Products
Other LANDESK Cloud Services
Additionally, none of the LANDESK customer or partner-facing websites are impacted by this vulnerability.
More Details
The following outlines additional details about affected products, services and updates
Internal Network(s)
LANDESK Management Suite Core Server
Can potentialy impact communication between the Core and the Cloud Services Appliance. See below for more information about the CSA
Communication via IIS is not affected.
This has been patched in LANDESK Management Suite 9.6.
Package Server
Any package server being used by LANDESK that might use OpenSSL could be affected. An Apache web server or NAS device for example. Please check with the appropriate party for an update to these applications or servers.
LANDESK will not be producing any update or change to address any third party applications or servers.
LANDESK Management Suite Client
The vulnerable OpenSSL libraries are used in the LANDESK CBA Client and Remote Control components. However these services operate on non-standard ports. There is also an additional layer of protection afforded by the authentication these services require.
The CBA/Resident Agent components respond to "push" requests from the Core Server to perform certain tasks. These tasks can include inventory scans, software deployments, patching, custom scripts and others. For these requests, additional threads and processes are used, thus limiting the memory available to this vulnerability. The private key for these interactions is stored on the Core Server. LANDESK has been unable find any instance where the private key or user credentials are sent to the Resident Agent.
External Network(s)
Cloud Services Appliance
All data on the Cloud Services Appliance is encrypted using SHA1. The data that could be exposed through this vulnerability will not grant access to usernames, passwords or private keys.
CSA patch GSB431_146 is posted to the servers and is available now for 4.3 CSA versions.
- LANDESK Support