As you may have seen reported elsewhere, an information disclosure vulnerability (dubbed “heartbleed” in the press) has been discovered in OpenSSL versions 1.0.1 through 1.0.1f, affecting a wide variety of OS’s, applications, and appliances from multiple vendors. This vulnerability may allow an attacker to access sensitive information from memory by sending specially-crafted TLS heartbeat requests. A good general resource to understand this vulnerability, authored by one of the individuals who uncovered this issue, can be found at http://heartbleed.com/.
KEMP customers with LoadMasters running versions 7.0-12a or 7.0-14a are affected by this vulnerability and should take prompt steps to mitigate. All other LoadMaster 5.x, 6.x, and 7.x versions are unaffected and no action is required. Mitigating this vulnerability will require several steps, both patching the vulnerability and addressing possible prior exploits. It is important that patching be completed first for the overall effort to be effective.
Customers at LoadMaster version or 7.0-12a or 7.0-14a should patch to hotfix version 7.0-14c or newer. Download the latest patch from here
For additional information and alternative download versions please contact KEMP Support.
Addressing prior exploits:
Because the heartbeat vulnerability can be exploited to gain a general unbounded memory disclosure, there are three classes of material that may have become exploited:
Private Key Material:
Your SSL/TLS private keys may have been compromised while running a vulnerable version. Prepare new key pairs and CSRs and have your CA issue new certificates to replace all certificates which were deployed on an affected LoadMaster. Do NOT reuse older CSR's or key pairs which were produced or deployed on a vulnerable device.
Secondary Key Material:
Authentication credentials (e.g., usernames/passwords) for your applications may have been compromised. Consider issuing new passwords for sensitive applications.
Sensitive data (e.g., credit card numbers, confidential emails) which would normally be encrypted in flight may have been compromised. Addressing the risks of this class of exploit will be organization-specific and application-specific.
KEMP is committed to resolving security vulnerabilities carefully and quickly. If you think you have found a security flaw in a KEMP product, please send all supporting information to firstname.lastname@example.org.