Archive for April 10th, 2014

Info: Is the IGEL UMS affected by the OpenSSL Heartbleed (CVE-2014-0160) issue?

Thursday, April 10th, 2014

Hello Folks,

i just made some tests but it doesn’t look like the IGEL Universal Management Suite is affected by the Heartbleed issue.

You can test against our public UMS Server if you like but here is the result:

UMS Console Port Default 8443 on our Server 443

UMS Console Port Default 8443 on our Server 443

 

I’ve tested the console port 8443 and the client connection port 30001, in both cases the results are ok and did not show up any Heartbleed related issue.

 

Cheers

Michael

P.S.: Please note that I run only a test for the last Version 4.06.100 of the IGEL Universal Management Suite and that my test is not an official statement from IGEL Technology!

Info: OpenSSL Heartbleed (CVE-2014-0160) issue doesn’t have an effect for Citrix Netscaler but..

Thursday, April 10th, 2014

Hello Folks,

all people talking about the OpenSSL Hearbeat/Heartbleed issue and how bad it is… Remembers me a little bit like the Sasser/MSBlast wave a couple of years ago.

heartbleed

At all, if you’re currently using Citrix Netscaler to protect your environment you should get a look at CTX140605.

In general the Citrix Netscaler is not affected by the Heartbleed issue but please note: This do not count for the internal Website running behind the Netscaler on your server by design, for example if you use Apache based Webserver, so in this case you should verify this and upgrade the Webserver. The Netscaler itself is safe at the moment, also the external access to websites hosted in your fabric should be save if the external connection run thru the Netscaler; primary risk are internal sites in your company where the Netscaler can/would be bypassed for internal access/users and if the affected OpenSSL Version 1.01 is used.

So the “but…” in the headline points to the fact that mostly attacks are coming from internal sources/users and here the Netscaler will not help you depending on your network setup if the OpenSSL Version 1.01 is used.

Iam quite sure a few web based companies are now feeling sad that they have not used the Netscaler in the past. 🙂

Cheers

Michael

P.S.: If you want to check your site visit http://filippo.io/Heartbleed/, if your site is “unsercure” you should to the following steps asap.

1) Upgrade your webserver to a secure OpenSSL Version
2) Change all used SSL certificates to new ones.
3) Notify all users to renew there passwords (force them)

There are already a lot articles covering this in more detail, so no more need to repeat this… I hope…

P.S.2: Details about the OpenSSL issue can be found here https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160