Extreme Networks Response to US-CERT Vulnerability Advisory VU#720951

Userlevel 3
Article ID: 16131

Black Diamond Series X8, 8900, and 8800 running EXOS version 15.4.1
Summit Series X770, X670, X480, X460, X440, X430, E4G-200, and E4G-400 running EXOS version 15.4.1
64-bit (Ubuntu) hardware-based and virtual NetSight appliances running version 4.4, 5.0, 5.1, or 6.0
64-bit (Ubuntu) hardware-based and virtual NAC & IA appliances running version 5.0, 5.1, or 6.0
64-bit (Ubuntu) hardware-based and virtual Purview appliances running version 6.0

On April 7 2014, US-CERT issued advisory [code]720951[/code].
(This issue is also tracked as [code]CVE-2014-0160[/code], and discussed in 16130.)

The advisory overview...
OpenSSL 1.0.1 contains a vulnerability that could disclose sensitive private information to an attacker. This vulnerability is commonly referred to as "heartbleed."

The advisory impact...
By attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys. By leveraging this information, an attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network traffic that would otherwise be protected by OpenSSL.

The advisory lists a number of affected vendors, including
Extreme Networks
Enterasys Networks

If within the advisory the hyperlinked [code]Extreme Networks[/code] or [code]Enterasys Networks[/code] Information still reads "
No statement is currently available from the vendor regarding this vulnerability.
", then please refer to this statement (.pdf, 200 KB) submitted to US-CERT on April 11 2014.

EXOS 15.4.1-patch1-10 is available for download via eSupport's "
Download Software Updates
" link.
The NetSight patch is available for download from the NMS Product page, or here (1.5 MB).
A set of Dragon signatures was released on April 9, to assist in detecting attempted exploits.

Also see this Hub community discussion.

0 replies

Be the first to reply!