You wish to know if the Symantec Control Compliance Suite (CCS), Symantec Enterprise Security Manager (ESM), or Symantec Risk Automation Suite (SRAS) product is affected by the "heartbleed" OpenSSL bug (CVE-2014-0160) that allows highly sensitive material such as primary key information to be accessed illicitly via a defect in the implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520).
The following table identifies the products which are affected by the Heartbleed vulnerability:
OpenSSL Version used
Affected by Heartbleed
Risk Automation Suite 4.0.8
Risk Automation Suite 4.0.7
Control Compliance Suite components
Control Compliance Suite content
Enterprise Security Manager
For Risk Automation Suite 4.0.8, RHEL and SecureRecon agents (Suse, Fedora, and CentOS) are vulnerable.
In order for someone to exploit the OpenSSL vulnerability in the agent, they must cause the agent to connect to a malicious server. As the agent does not listen on a specific port the possibilities of compromising it are very low.
The CERT description (http://www.kb.cert.org/vuls/id/720951) identities 4 categories of sensitive information that could be leaked. Using these categories, the data which might be leaked from a SRAS agent if someone were to exploit the vulnerability is as follows:
Primary key material (secret keys): The agent uses a authentication token.
Secondary key material (user names and passwords used by vulnerable services): The agent does not handle secondary key material.
Protected content (sensitive data used by vulnerable services): The content that might be leaked from the agent is the data that is transmitted between the agent and the web portal server over the encrypted connection. This includes configuration scan data from that machine.
Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations): The memory addresses and content of the agent communicating over the network might be leaked.
Imported Document Id
This is machine translated content
Login to Subscribe
Please login to set up your subscription.
Didn't find the article you were looking for? Try these resources.