LANDESK is aware of the vulnerability inside of OpenSSL and we are currently in the process of investigating it. We will update this document with further information as we have it. We appreciate your patience.
As updates are available, including any additional information about how this vulnerability affects LANDESK products and progress for any updates or patches, it will be added to this document.
What is this vulnerability?
There is a bug in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.
From CVE: "The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug."
For more information, please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 and http://heartbleed.com/
How does this affect LANDESK?
Affected Product(s)
LANDESK Management Suite / Security Suite 9.5 and later
LANDESK Cloud Services Appliance 4.2 with OpenSSL update/patch and later
LANDESK Cloud Services Appliance 4.3 and later
Non-Affected Product(s)
LANDESK Management Suite 9.0 and earlier (uses prior, unaffected version of OpenSSL)
LANDESK Cloud Services Appliance 4.2 (without OpenSSL update/patch)
LANDESK Asset Lifecycle Manager
LANDESK Service Desk, including Service Desk as a Service (SDaas)
Mobility products including Wavelink, Avalanche on Demand, and LANDESK Mobility Management
Shavlik Products
Other LANDESK Cloud Services
Additionally, none of the LANDESK customer or partner-facing websites are impacted by this vulnerability.
More Details
The following outlines additional details about affected products, services and updates
Internal Network(s)
LANDESK Management Suite Core Server
Can potentialy impact communication between the Core and the Cloud Services Appliance. See below for more information about the CSA
Communication via IIS is not affected.
LANDESK is working on an update to address these concerns and will update this document as appropriate
Package Server
Any package server being used by LANDESK that might use OpenSSL could be affected. An Apache web server or NAS device for example. Please check with the appropriate party for an update to these applications or servers.
LANDESK will not be producing any update or change to address any third party applications or servers.
LANDESK Management Suite Client
The vulnerable OpenSSL libraries are used in the LANDESK CBA Client component. However this service operates on non-standard ports. There is also an additional layer of protection afforded by the authentication these services require.
LANDESK is working on an update to address these concerns and will update this document as appropriate
External Network(s)
Cloud Services Appliance
All data on the Cloud Services Appliance is encrypted using SHA1. The data that could be exposed through this vulnerability will not grant access to usernames or passwords.
We anticipate we will have a patch for the 4.3 Cloud Services Appliance available by 04/18/2014.
- LANDESK Support