lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <534C17AE.2010309@ruckuswireless.com>
Date: Mon, 14 Apr 2014 10:15:26 -0700
From: Ruckus Product Security Team <security@...kuswireless.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: RUCKUS ADVISORY ID 041414: OpenSSL 1.0.1 library's "Heart bleed"
 vulnerability - CVE-2014-0160


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

RUCKUS ADVISORY ID 041414

Customer release date: April 14, 2014
Public release date: April 14, 2014

TITLE

OpenSSL 1.0.1 library's "Heart bleed" vulnerability - CVE-2014-0160


SUMMARY

OpenSSL library is used in Ruckus products to implement various
security related features. A vulnerability has been discovered in
OpenSSL library which may allow an unauthenticated, remote attacker to
retrieve memory in chunks of 64 kilobytes from a connected client or
server.  An exploit could disclose portions of memory containing
sensitive security material such as passwords and private keys.


AFFECTED SOFTWARE VERSIONS AND DEVICES


    Device                                    Affected software
- ---------------------           ------------------
Smart Cell Gateway                      1.1.x
SmartCell Access Points               NOT AFFECTED
ZoneDirector Controllers             NOT AFFECTED
ZoneFlex  Access Points               NOT AFFECTED


Any products or services not mentioned in the table above are not affected


DETAILS

A vulnerability has been discovered in the popular OpenSSL
cryptographic software library. This weakness exists in OpenSSL's
implementation of the TLS/DTLS (transport layer security protocols)
heartbeat extension (RFC6520). This vulnerability is due to a missing
bounds check in implementation of the handling of the heartbeat
extension. When exploited, this issue may lead to leak of memory
contents from the server to the client and from the client to the
server. These memory contents could contain sensitive security
material such as passwords and private keys.


IMPACT

Ruckus devices incorporate OpenSSL library to implement various
security related features. Below is list of the affected components:

- -  Administrative HTTPS Interface (Port 8443)


CVSS v2 Base Score:5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N)


   
WORKAROUNDS

Ruckus recommends that all customers apply the appropriate patch(es)
as soon as practical.  However, in the event that a patch cannot
immediately be applied, the following suggestions might help reduce
the risk:

 - Do not expose administrative interfaces of Ruckus devices to
untrusted networks such as the Internet.

 - Use a firewall to limit traffic to/from Ruckus device's
administrative interface to trusted hosts.

 

SOLUTION

Ruckus recommends that all customers apply the appropriate patch(es)
as soon as practical.

The following software builds have the fix (any later builds will also
have the fix):


Branch            Software Build
- -------        ------------------
1.1.x            1.1.2.0.142




DISCOVERY

This vulnerability was disclosed online on various sources :

- - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
- - https://www.openssl.org/news/secadv_20140407.txt
- - http://heartbleed.com/




OBTAINING FIXED FIRMWARE

Ruckus customers can contact Ruckus support to obtain the fixed firmware

Ruckus Support contact list is at:
    https://support.ruckuswireless.com/contact-us


PUBLIC ANNOUNCEMENTS

This security advisory will be made available for public consumption
on April 14, 2014 at the following source

Ruckus Website
http://www.ruckuswireless.com/security

SecurityFocus Bugtraq
http://www.securityfocus.com/archive/1


Future updates of this advisory, if any, will be placed on Ruckus's
website, but may or may not be actively announced on mailing lists.

REVISION HISTORY

      Revision 1.0 / 14th April 2014 / Initial release


RUCKUS WIRELESS SECURITY PROCEDURES

Complete information on reporting security vulnerabilities in Ruckus
Wireless
products, obtaining assistance with security incidents is available at
      http://www.ruckuswireless.com/security
 
 
For reporting new security issues, email can be sent to
security(at)ruckuswireless.com
For sensitive information we encourage the use of PGP encryption. Our
public keys can be
found at http://www.ruckuswireless.com/security

                      
STATUS OF THIS NOTICE: Final

Although Ruckus cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Ruckus does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Ruckus may update this
advisory.


(c) Copyright 2014 by Ruckus Wireless
This advisory may be redistributed freely after the public release
date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJTTBeuAAoJEFH6g5RLqzh1fRsIAJ9MtudIbdzR7mm/hP0i7boN
MqlHAnFWai1c99UX048I9PSwWzWuEj4/1E4jy4vQqxLG8gO0YbAQiGq4DDGErCU0
AywV+p3Xlcn0SXp0vse/qnhOT0jVOOKXPZSokmoptQXbd28ZOYtGfMJozTvPh2vf
AvGq2B5kciGVhvBc9hdHGhSla/xUr/puIOBKFtNfMuxPujJ62t8g07w2HCB51PL/
5E5MrP4540n3ONZ9+w5h/AeVfvVXsFv25VuElckq6Anzm+iqNRjcWHdync14UqPx
2kXr1E72zRYbY/Z7+QkQuL1REkka+RtGcwbo05u+aEUnPx3E9wvdCHjf6XhxcbI=
=sbsc
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ