ExtremeCloud IQ- Site Engine & Extreme Management Center

Expand all | Collapse all

Extreme Networks update on the OpenSSL vulnerability called “Heartbleed"

PJ

PJ04-14-2014 12:26

Su, Kevin

Su, Kevin04-16-2014 12:27

  • 1.  Extreme Networks update on the OpenSSL vulnerability called “Heartbleed"

    Posted 04-12-2014 03:07
    Patches will be available for all affected products by Monday (4/14). Reference Extreme Network CERT VU#720951 Vulnerability Advisory note for additional details. http://learn.extremenetworks.com/rs/extreme/images/CERT_VU%23720951_Vulnerability_Advisory_04_11_2014v2.pdf


  • 2.  RE: Extreme Networks update on the OpenSSL vulnerability called “Heartbleed"

    Posted 04-12-2014 13:30
    ExtremXOS 15.4.1.3-patch1-10 has been released and it is ready to download.


  • 3.  RE: Extreme Networks update on the OpenSSL vulnerability called “Heartbleed"

    Posted 04-14-2014 03:26
    Extreme switch won’t be affected as long as “https” is disabled like below test result but it is strongly recommended not to use the version which does not have the patch. Below is the result of the nmap to identify the vulnerability.

    #####################################

    nmap -sV -p 443 --script=ssl-heartbleed.nse 10.120.120.90



    Starting Nmap 6.45 ( http://nmap.org ) at 2014-04-14 12:15 SGT

    Warning: File ./nmap-services exists, but Nmap is using /usr/local/bin/../share/nmap/nmap-services for security and consistency reasons.

    set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).

    Nmap scan report for 10.120.120.90

    Host is up (0.0016s latency).

    PORT STATE SERVICE VERSION

    443/tcp closed https



    Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

    Nmap done: 1 IP address (1 host up) scanned in 0.46 seconds

    #####################################





    #####################################

    * X440-24t-10G-USB2.16 # sh "Mgmt"

    Primary IP: 10.120.120.90/24



    * X440-24t-10G-USB2.11 # sh ver

    Switch : 800475-00-10 1323N-44095 Rev 10.0 BootROM: 2.0.1.7 IMG: 15.4.1.3

    PSU-1 : Internal Power Supply

    PSU-2 :



    Image : ExtremeXOS version 15.4.1.3 v1541b3-patch1-1 by release-manager

    on Fri Jan 17 15:25:46 EST 2014

    BootROM : 2.0.1.7

    Diagnostics : 6.3



    * X440-24t-10G-USB2.12 # sh management

    CLI idle timeout : Enabled (20 minutes)

    CLI max number of login attempts : 3

    CLI max number of sessions : 8

    CLI paging : Enabled (this session only)

    CLI space-completion : Disabled (this session only)

    CLI configuration logging : Disabled

    CLI scripting : Disabled (this session only)

    CLI scripting error mode : Ignore-Error (this session only)

    CLI persistent mode : Persistent (this session only)

    CLI prompting : Enabled (this session only)

    Telnet access : Enabled (tcp port 23 vr all)

    : Access Profile : not set

    SSH access : Enabled (Key valid, tcp port 22 vr all)

    : Access Profile : not set

    Web access : Disabled (tcp port 80)

    : Access Profile : not set

    Total Read Only Communities : 1

    Total Read Write Communities : 1

    RMON : Disabled

    SNMP access : Enabled

    : Access Profile : not set

    SNMP Compatibility Options :

    GETBULK Reply Too Big Action : Too Big Error

    SNMP Traps : Enabled

    SNMP v1/v2c TrapReceivers : None



    SNMP stats: InPkts 0 OutPkts 0 Errors 0 AuthErrors 0

    Gets 0 GetNexts 0 Sets 0 Drops 0

    SNMP traps: Sent 0 AuthTraps Enabled

    SNMP inform: Sent 0 Retries 0 Failed 0



    * X440-24t-10G-USB2.14 # disable web https

    SSL Module: Not Installed

    #####################################

    http://hackertarget.com/testing-heartbleed-with-the-nmap-nse-script/ Used the script from this website.



  • 4.  RE: Extreme Networks update on the OpenSSL vulnerability called “Heartbleed"

    Posted 04-14-2014 11:12
    still no able to see the Patch 1-10 release


  • 5.  RE: Extreme Networks update on the OpenSSL vulnerability called “Heartbleed"

    Posted 04-14-2014 12:19
    I got the confirmation mail by saying that it has been uploaded. Can you please check again in our esupport web portal?

    Thanks


  • 6.  RE: Extreme Networks update on the OpenSSL vulnerability called “Heartbleed"

    Posted 04-14-2014 12:26
    i've recheckd


  • 7.  RE: Extreme Networks update on the OpenSSL vulnerability called “Heartbleed"

    Posted 04-14-2014 12:26
    PJ, we just verified the patch is definitely posted. If you are not able to access it, I suggest you call into the TAC so we can get this sorted out for you ASAP.

    thanks
    Mike


  • 8.  RE: Extreme Networks update on the OpenSSL vulnerability called “Heartbleed"

    Posted 04-14-2014 12:26
    Thnx for sorting it out.


  • 9.  RE: Extreme Networks update on the OpenSSL vulnerability called “Heartbleed"

    Posted 04-14-2014 16:46
    See also, in the FAQ section of this forum:
    16131, "Extreme Networks Response to US-CERT Vulnerability Advisory VU#720951" (http://bit.ly/1n6cUcI).


  • 10.  RE: Extreme Networks update on the OpenSSL vulnerability called “Heartbleed"

    Posted 04-14-2014 17:22
    This reply was created from a merged topic originally titled Extreme Networks Response to US-CERT Vulnerability Advisory VU#720951. Article ID: 16131

    Products
    Black Diamond Series X8, 8900, and 8800 running EXOS version 15.4.1
    Summit Series X770, X670, X480, X460, X440, X430, E4G-200, and E4G-400 running EXOS version 15.4.1
    64-bit (Ubuntu) hardware-based and virtual NetSight appliances running version 4.4, 5.0, 5.1, or 6.0
    64-bit (Ubuntu) hardware-based and virtual NAC & IA appliances running version 5.0, 5.1, or 6.0
    64-bit (Ubuntu) hardware-based and virtual Purview appliances running version 6.0

    Discussion
    On April 7 2014, US-CERT issued advisory [code]720951[/code].
    (This issue is also tracked as [code]CVE-2014-0160[/code], and discussed in 16130.)

    The advisory overview...
    code:
    OpenSSL 1.0.1 contains a vulnerability that could disclose sensitive private information to an attacker. This vulnerability is commonly referred to as "heartbleed."


    The advisory impact...
    code:
    By attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys. By leveraging this information, an attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network traffic that would otherwise be protected by OpenSSL.


    The advisory lists a number of affected vendors, including
    code:
    Extreme Networks
    and
    code:
    Enterasys Networks
    .

    If within the advisory the hyperlinked [code]Extreme Networks[/code] or [code]Enterasys Networks[/code] Information still reads "
    code:
    No statement is currently available from the vendor regarding this vulnerability.
    ", then please refer to this statement (.pdf, 200 KB) submitted to US-CERT on April 11 2014.

    EXOS 15.4.1.3-patch1-10 is available for download via eSupport's "
    code:
    Download Software Updates
    " link.
    The NetSight patch is available for download from the NMS Product page, or here (1.5 MB).
    A set of Dragon signatures was released on April 9, to assist in detecting attempted exploits.


  • 11.  RE: Extreme Networks update on the OpenSSL vulnerability called “Heartbleed"

    Posted 04-14-2014 17:22


  • 12.  RE: Extreme Networks update on the OpenSSL vulnerability called “Heartbleed"

    Posted 04-14-2014 17:23
    This reply was created from a merged topic originally titled Heartbleed OpenSSL Vulnerability in NMS/Oneview or Wireless Controller. Are NMS/Oneview, or the wireless controller at risk of the Heartbleed OpenSSL vulnerability? What revision levels are at risk? Is there a corporate statement of exposure risk and mitigation?
    See similar post about XOS.
    https://community.extremenetworks.com/extreme/topics/heartbleed_openssl_vulnerability


  • 13.  RE: Extreme Networks update on the OpenSSL vulnerability called “Heartbleed"

    Posted 04-14-2014 17:23
    This reply was created from a merged topic originally titled Response to "Heartbleed" CVE-2014-0160 OpenSSL vulnerability. Article ID: 16130

    Products
    The issue affects products which use OpenSSL 1.0.1 (March 2012) through 1.0.1f for SSL/HTTPS support.
    OpenSSL 1.0.1g, released April 7 2014, resolves the vulnerability.

    Affected:
    • Black Diamond Series X8, 8900, and 8800 running EXOS version 15.4.1
    • Summit Series X770, X670, X480, X460, X440, X430, E4G-200, and E4G-400 running EXOS version 15.4.1
    • 64-bit (Ubuntu) hardware-based and virtual NetSight appliances running version 4.4, 5.0, 5.1, or 6.0
    • 64-bit (Ubuntu) hardware-based and virtual NAC & IA appliances running version 5.0, 5.1, or 6.0
    • 64-bit (Ubuntu) hardware-based and virtual Purview appliances running version 6.0
    Discussion
    Vulnerability notification CVE-2014-0160 was released on April 7 2014.
    Its Overview states:
    code:
    The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.


    The high visibility and potentially high impact of this issue has spawned many follow-up reports which are visible in a web search for "
    code:
    heartbleed
    " or "
    code:
    CVE-2014-0160
    ".

    Patches have been developed to address this vulnerability across all affected products, and these will be included in subsequent GA releases. Patch availability is discussed in 16131, which addresses this issue being tracked as US-CERT Vulnerability Advisory VU#720951.


  • 14.  RE: Extreme Networks update on the OpenSSL vulnerability called “Heartbleed"

    Posted 04-14-2014 17:23


  • 15.  RE: Extreme Networks update on the OpenSSL vulnerability called “Heartbleed"

    Posted 04-14-2014 17:28
    This reply was created from a merged topic originally titled heartbleed OpenSSL vulnerability. Does anyone have any information on whether or not and which Enterasys or Extreme products are affected by this vulnerability?


  • 16.  RE: Extreme Networks update on the OpenSSL vulnerability called “Heartbleed"

    Posted 04-14-2014 17:28
    <content-quote data-username="Andy_M"> This reply was created from a merged topic originally titled heartbleed OpenSSL vulnerability. Does anyone have any information on whether or not and which Enterasys or Extreme products are affected by this vulnerability?</content-quote>Hi Andy. We have a comprehensive topic about this including a list of affected products. Please visit this for additional information. If you have additional questions, please ask them here in the community! https://getsatisfaction.com/extreme/topics/extreme_networks_update_on_the_openssl_vulnerability_call...


  • 17.  RE: Extreme Networks update on the OpenSSL vulnerability called “Heartbleed"

    Posted 04-16-2014 07:31
    Hi

    After patch the NetSight, how can I make sure the bug has been fixed?

    Thanks.
    Kevin


  • 18.  RE: Extreme Networks update on the OpenSSL vulnerability called “Heartbleed"

    Posted 04-16-2014 12:27
    This information was added yesterday to the end of the NetSight Patch readme file, in the copy that is accessible from the end of the "Article ID: 16131" as both embedded and hyperlinked above:

    code:
    Optional verification of results:

    code:
    In 'dpkg -l | grep ssl' command output, the "libssl1.0.0" and "openssl" packages should display version "1.0.1-4ubuntu5.12" if the patch has been successfully applied.


    The last time I checked (yesterday), it had not yet been added to the copy out on the NMS Product page.


  • 19.  RE: Extreme Networks update on the OpenSSL vulnerability called “Heartbleed"

    Posted 04-16-2014 12:27
    Thanks, Paul.