ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

CVE-2015-0204 SSL/TLS FREAK vulnerability

book

Article ID: 161931

calendar_today

Updated On:

Products

Deployment Solution

Issue/Introduction

Certain versions of the SSL and TLS cryptographic protocols can allow someone to use a man-in-the-middle (MITM) attack to intercept and decrypt communications between affected clients and servers in what is being called the "FREAK", (Factoring Attack on RSA-EXPORT Keys) vulnerability.. The secure connections are impacted, where the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or uses an older, unpatched version of OpenSSL. Once the encryption is broken, the attackers can steal passwords and other personal information and potentially launch further attacks against the website.

NOTE: For this type of attack to be successful, both the server and the client should be running a vulnerable SSL and TLS version. It is estimated that servers supporting under 10 percent of the top 1 million Alexa-listed domains were vulnerable to the attack. For more information, refer to the following URLs:

Symantec Connect Blog - FREAK Vulnerability
https://freakattack.com/

For more information on Mac, refer to the following URL:
http://www.washingtonpost.com/blogs/

National Vulnerability Database
 

Affected Solutions

We have updated versions of SSL/TLS that are susceptible to this issue in Deployment Solution, ULM, Internet Gateway and PPA for the following releases:
1. ITMS 7.1SP2 MP1 v11
2. ITMS 7.5 HF6
3. ITMS 7.5 SP1 HF5
4. ITMS 7.6
 

Plan of action

The following table lists the release versions in which the fixes for the affected solution are available:
Affected Releases Release version in which the fixes are provided
ITMS 7.1 SP2 MP1 v11 ITMS 7.1 SP2 MP1 v11 POINTFIX
ITMS 7.5 HF6 ITMS 7.5 HF6 POINTFIX (Coming Soon)
ITMS 7.5 SP1 HF5 ITMS 7.5 SP1 POINTFIX
ITMS 7.6 ITMS 7.6 HF1














 

Details of updated SSL version in the ITMS release versions

Release version: ITMS 7.1SP2 MP1 v11 POINTFIX

Component SSL version used
Agent for UNIX, Linux and Mac 0.9.8zf
1.0
Deployment Solution 0.9.8zf
PPA/PAL 0.9.8zf










 

Release version: ITMS 7.5 HF6 POINTFIX

Component SSL version used
Agent for UNIX, Linux and Mac 1.0.1m
Agent for Windows 0.9.8zf
Deployment Solution 0.9.8zf
PPA/PAL 0.9.8zf










 

Release version: ITMS 7.5 SP1 HF5 POINTFIX

Component SSL version used
Agent for UNIX, Linux and Mac 1.0.1m
Agent for Windows 0.9.8zf
Deployment Solution 0.9.8zf
PPA/PAL 0.9.8zf










 

Release version: ITMS 7.6 HF1

Component SSL version used
Agent for UNIX, Linux and Mac 1.0.1m
Agent for Windows 1.0.1m
Deployment Solution 1.0.1m
PPA/PAL 1.0.1m












 

Resolution

Run attached Pointfix installer on your Notification Server to apply the fix.

Attachments

FREAK_Vulnerability.docx get_app
FREAK 7.1 Sp2 mp1 v11.zip get_app
7.5 SP1 FREAK.zip get_app
7.5 HF6 FREAK.zip get_app