Security vulnerability CVE-2014-0160 OpenSSL heartbleed

Recently, an exposure was disclosed in CVE–2014–0160 and extensively documented at heartbleed.com, detailing a vulnerability in the OpenSSL toolkit that is widely used.  The vulnerability, called “Heartbleed”, allows for exposure of private keys and other information during SSL/TLS communication.  

This document will serve to notify where Heartbleed affects Aspera products, and remediation steps.

How to Check and Verify:

Aspera has reviewed our products to determine which are affected and issued patches and hotfixes. Use the information below to determine if an affected version is currently in use. If one is, follow the remediation and mitigation steps outlined by either patching or applying the hotfix. A patch will not increase the version displayed, but a hotfix will. To verify:

  • Patch: check MD5 sums of the files that would be replaced
  • Hotfix: Ensure the version number is correct

Mitigation Steps:

Customers should either upgrade to the latest Aspera software package or apply the patches provided.

After successful patch or upgrade of the Aspera product, verify and check using one of the above listed tools.

Once the systems are upgraded/patched, the security literature from numerous sources such as Heartbleed.com, Bruce Schneier, Ars Technica, and Krebs on Security makes some general recommendations:

  • All certificates should be regenerated with new public/private key pairs.  Any systems that have Certificate Authority (CA) signed certificates will need to contact the CA to have the certificates revoked and new ones issued with the new private key.  In cases where self-signed certificates are used, it is still advisable to regenerate these certificates.  Instructions specific to the product will be included below.
  • All account passwords should be presumed compromised, even if no evidence of this exists.  Because of the nature of the Heartbleed exploit, there is no way to detect a compromise has occurred. Please update passwords and do not reuse passwords that were once used on an affected system.

Aspera Products

Core FASP: GOOD - NOT AFFECTED

Products included in this category:

  • Aspera Connect/Enterprise Server
  • Aspera Sync
  • Aspera Client
  • Aspera Point-to-Point
  • Aspera Connect Plugin
  • Aspera Embedded Server and Client
  • Aspera Cargo

Affected Versions and Platforms:

  • Not affected

Comment: FASP is the transport protocol that all Aspera products leverage; OpenSSL is used in two areas of FASP.  In both cases, SSH authentication and FASP UDP transport, SSL/TLS is not used.  OpenSSL is used for cryptographic libraries, like AES and SHA, but not for SSL/TLS.

The Aspera Node Service is a REST API interface.  The REST calls are secured with SSL/TLS.  The OpenSSL used to secure the REST traffic is unaffected by the Heartbleed vulnerability.

Aspera Connect Server UI: POTENTIALLY AFFECTED

Products included in this category:

  • Apache installed to support Connect Server UI

Comment: Prior to Aspera Shares, the main FTP-like web UI for Aspera transfers was the Connect Server UI bundled with Enterprise Server.  At setup/install customers were asked to install a version of Apache and configure it per given instructions.  Since this installation required customers to install their own versions of Apache, the versions in use are wide and varied.

A list of useful links for info on how to update Apache:

Please use one of the tools above to in How to Check and Verify to check for exposure to Heartbleed and patch per vendor Apache upgrade instructions.

Aspera Console: AFFECTED on Windows

Products included in this category:

  • Aspera Console

Affected Versions and Platforms:

Resolution: Console 2.3.1 for Windows has been released to fully address the Heartbleed vulnerability, and it is advised to upgrade to this version or greater.  The linked patch can be used to fix affected versions of Console in the event an upgrade to 2.3.1 is not possible.  The steps to install the patch are:

  1. Unzip this package into a temporary directory.

  2. Go on the server and open a cmd prompt as Administrator

  3. Run

    asctl apache:stop
  4. Navigate to C:\Program Files (x86)\Common Files\Aspera\Common\apache\bin

  5. Rename libeay32.dll and ssleay32.dll in ssleay32.dll.old and libeay32.dll.old

  6. Copy inside C:\Program Files (x86)\Common Files\Aspera\Common\apache\bin the two dlls included in this zip package

  7. Run

    asctl apache:start
  8. Verify everything is running as before

Files

MD5 Files
3638b1c3f698476b48259a5101136014 libeay32.dll
47d4fdfce4e129f2e39e36e38ae318ec ssleay32.dll

Comment: Aspera Console is a web-based interface for collection and reporting of usage data, as well as performing other activities like ad-hoc transfer initiation.  The web interface is the only place where SSL/TLS is used.  All other secure traffic in Console is managed through SSH.

Aspera Faspex: AFFECTED on Windows

Products included in this category:

  • Aspera Faspex

Affected Versions and Platforms:

Resolution: Faspex 3.7.7 on Windows has been released to fully address the Heartbleed vulnerability,and it is advised to upgrade to this version or greater.  The linked patch can be used to fix affected versions of Faspex in the event an upgrade to 3.7.7 is not possible.  The steps to install the patch are:

  1. Unzip this package into a temporary directory.

  2. Go on the server and open a cmd prompt as Administrator

  3. Run

    asctl apache:stop
  4. Navigate to C:\Program Files (x86)\Common Files\Aspera\Common\apache\bin

  5. Rename libeay32.dll and ssleay32.dll to ssleay32.dll.old and `libeay32.dll.old``

  6. Copy inside C:\Program Files (x86)\Common Files\Aspera\Common\apache\bin the two dlls included in this zip package

  7. Run

    asctl apache:start
  8. Verify everything is running as before

Files

MD5 Files
3638b1c3f698476b48259a5101136014 libeay32.dll
47d4fdfce4e129f2e39e36e38ae318ec ssleay32.dll

Comment: Aspera Faspex is a collaboration tool for person-to-person file delivery.  It makes use of a browser based interface and plugin.  The plugin is not affected by Heartbleed, and Linux versions of Faspex did not ship with affected OpenSSL versions.

Aspera Shares: AFFECTED

Products included in this category:

  • Aspera Shares

Affected Versions and Platforms:

Resolution (Windows):

Shares 1.7.5 on Windows has been released to fully address the Heartbleed vulnerability, and it is advised to upgrade to this version or greater.  The linked patch can be used to fix affected versions of Shares in the event an upgrade to 1.7.5 is not possible.  The steps to install the patch are:

  1. Unzip this package into a temporary directory.
  2. Stop Nginx service, Aspera Shares Nginx
  3. Save the nginx.exe binary and rename C:\Shares\nginx\nginx.exe to C:\Shares\nginx\nginx.exe.old
  4. Copy the new nginx.exe to C:\Shares\nginx
  5. Start Nginx service Aspera Shares Nginx

Files (Windows):

MD5 Files
c6635f217e65c550d2a2930ab9256b82 nginx.exe

Resolution (Linux)

Shares 1.7.5 on Linux has been released to fully address the Heartbleed vulnerability, and it is advised to upgrade to this version or greater.  The linked patch can be used to fix affected versions of Shares in the event an upgrade to 1.7.5 is not possible.  The steps to install the patch are:

  1. Unzip this package into a temporary directory.

  2. Stop Shares

    /etc/init.d/aspera-shares stop
  3. Save the original libssl.so.1.0.0 binary

    cp /opt/aspera/shares/lib/libssl.so.1.0.0 /opt/aspera/shares/lib/libssl.so.1.0.0.bak
  4. Copy the new libssl.so.1.0.0 to /opt/aspera/shares/lib/

  5. Restart Shares

    /etc/init.d/aspera-shares start

Files (Linux)

MD5 Files
ad6a57c8911f68058fa048698ee128aa libssl.so.1.0.0

Comment: Aspera Shares is a modern Web Application for collaborative file sharing.  It exposes a web interface, and the SSL/TLS implementation used in version 1.7.3 (Linux) and 1.0.1 to 1.7.3 (Windows) is affected.  Prior versions did not ship with an OpenSSL version that had the Heartbleed vulnerability.

Aspera Orchestrator: AFFECTED on Windows

Products included in this category:

  • Aspera Orchestrator

Affected Versions and Platforms:

  • Aspera Orchestrator on Windows - all versions running Console 2.0.1 - 2.3.0 Common

Comment: Orchestrator makes use of the common code base of Console.  If Common on Windows 2.0.1 - 2.3.0 was used for the Orchestrator install, then Orchestrator is affected.  Use resolution instructions from Console listed above.

Aspera Proxy: GOOD - NOT AFFECTED

Products included in this category:

  • Aspera Proxy

Affected Versions and Platforms:

  • None

Affected Product Matrix:

Products Affected Versions Status Fixed Version Link to Patch
Faspex (Windows) 3.0.3 - 3.7.5 Patch & Hotfix 3.7.7 http://download.asperasoft.com/patches/openssl/Faspex-Console-Windows/aspera-faspex-console-openssl-heartbleed-patch–1.zip
Shares (Windows) 1.0.1 - 1.7.3 Patch & Hotfix 1.7.5 http://download.asperasoft.com/patches/openssl/Shares-Windows/Aspera-Shares-Windows-OpenSSL-Heartbleed-patch–1.zip
Shares (Linux) 1.7.3 Patch & Hotfix 1.7.5 http://download.asperasoft.com/patches/openssl/Shares-Linux/Aspera-Shares-Linux-OpenSSL-Heartbleed-patch–1.zip
Console (Windows) 2.0.1 - 2.3.0 Patch & Hotfix 2.3.1 http://download.asperasoft.com/patches/openssl/Faspex-Console-Windows/aspera-faspex-console-openssl-heartbleed-patch–1.zip

History:

  • 2014–04–09: Initial Draft
  • 2014–04–10: Formatting corrected, revised version numbers, added links to Fixed releases.
  • 2014–04–11: Typographic corrections and updated note on certificate generation.
  • 2014–04–17: Updated content.
Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk