CVE-2015-0204 SSL/TLS FREAK vulnerability
Article ID: 161931
Updated On:
Products
Deployment Solution
Issue/Introduction
Certain versions of the SSL and TLS cryptographic protocols can allow someone to use a man-in-the-middle (MITM) attack to intercept and decrypt communications between affected clients and servers in what is being called the "FREAK", (Factoring Attack on RSA-EXPORT Keys) vulnerability.. The secure connections are impacted, where the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or uses an older, unpatched version of OpenSSL. Once the encryption is broken, the attackers can steal passwords and other personal information and potentially launch further attacks against the website.
NOTE: For this type of attack to be successful, both the server and the client should be running a vulnerable SSL and TLS version. It is estimated that servers supporting under 10 percent of the top 1 million Alexa-listed domains were vulnerable to the attack. For more information, refer to the following URLs:
Symantec Connect Blog - FREAK Vulnerability
https://freakattack.com/
For more information on Mac, refer to the following URL:
http://www.washingtonpost.com/blogs/
National Vulnerability Database
1. ITMS 7.1SP2 MP1 v11
2. ITMS 7.5 HF6
3. ITMS 7.5 SP1 HF5
4. ITMS 7.6
NOTE: For this type of attack to be successful, both the server and the client should be running a vulnerable SSL and TLS version. It is estimated that servers supporting under 10 percent of the top 1 million Alexa-listed domains were vulnerable to the attack. For more information, refer to the following URLs:
Symantec Connect Blog - FREAK Vulnerability
https://freakattack.com/
For more information on Mac, refer to the following URL:
http://www.washingtonpost.com/blogs/
National Vulnerability Database
Affected Solutions
We have updated versions of SSL/TLS that are susceptible to this issue in Deployment Solution, ULM, Internet Gateway and PPA for the following releases:1. ITMS 7.1SP2 MP1 v11
2. ITMS 7.5 HF6
3. ITMS 7.5 SP1 HF5
4. ITMS 7.6
Plan of action
The following table lists the release versions in which the fixes for the affected solution are available:| Affected Releases | Release version in which the fixes are provided |
|---|---|
| ITMS 7.1 SP2 MP1 v11 | ITMS 7.1 SP2 MP1 v11 POINTFIX |
| ITMS 7.5 HF6 | ITMS 7.5 HF6 POINTFIX (Coming Soon) |
| ITMS 7.5 SP1 HF5 | ITMS 7.5 SP1 POINTFIX |
| ITMS 7.6 | ITMS 7.6 HF1 |
Details of updated SSL version in the ITMS release versions
Release version: ITMS 7.1SP2 MP1 v11 POINTFIX
| Component | SSL version used |
|---|---|
| Agent for UNIX, Linux and Mac | 0.9.8zf 1.0 |
| Deployment Solution | 0.9.8zf |
| PPA/PAL | 0.9.8zf |
Release version: ITMS 7.5 HF6 POINTFIX
| Component | SSL version used |
|---|---|
| Agent for UNIX, Linux and Mac | 1.0.1m |
| Agent for Windows | 0.9.8zf |
| Deployment Solution | 0.9.8zf |
| PPA/PAL | 0.9.8zf |
Release version: ITMS 7.5 SP1 HF5 POINTFIX
| Component | SSL version used |
|---|---|
| Agent for UNIX, Linux and Mac | 1.0.1m |
| Agent for Windows | 0.9.8zf |
| Deployment Solution | 0.9.8zf |
| PPA/PAL | 0.9.8zf |
Release version: ITMS 7.6 HF1
| Component | SSL version used |
| Agent for UNIX, Linux and Mac | 1.0.1m |
| Agent for Windows | 1.0.1m |
| Deployment Solution | 1.0.1m |
| PPA/PAL | 1.0.1m |
Resolution
Run attached Pointfix installer on your Notification Server to apply the fix.
Attachments
Feedback
Yes
No
Powered by
