Follow

Response to OpenSSL SSL/TLS MITM vulnerability (CVE-2014-0224)

OpenSSL has disclosed the following vulnerability: An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.  The attack can only be performed between a vulnerable client *and* server.  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224

Kaseya has reviewed our product offerings in relation to the vulnerability as follows:

Kaseya Virtual Systems Administrator (VSA)

VSA Version 7.0 Remote Control Module makes use of the affected OpenSSL versions.  No other versions or modules in the product are impacted.  Kaseya is working on a patch which will be released shortly and we will update this page with the patch information.

Affected Version - VSA 7.0 Remote Control Module with Agent 7.0.0.0 or Agent 7.0.0.1 (no other modules are affected)

Version 6.X is not affected.

Solution: For VSA 7.0, install patch 7.0.0.16 and then update your agents to version 7.0.0.3 or higher (Agent-> Upgrade Agent->Update Agent).

Kaseya Traverse

This product does not make use of the affected OpenSSL versions/protocols described in vulnerability CVE-2014-0224.

Kaseya Network Monitor (KNM)

This product does not make use of the affected OpenSSL versions/protocols described in vulnerability CVE-2014-0224.

Kaseya 365 Command

This product does not make use of the affected OpenSSL versions/protocols described in vulnerability CVE-2014-0224.

Kaseya BYOD Suite

The Android Operating System Version 4.1.1 uses OpenSSL.  Kaseya’s App makes use of this function in the underlying Android operating system, however, Kaseya provides an additional layer of encryption, so this vulnerability could not be exploited to compromise customer data.

Updates to the Android operating system are provided by the phone manufacturer or carrier and if you are running Android 4.1.1, it is recommended to contact the phone manufacturer/carrier.  However, as mentioned above, Kaseya’s additional layer of encryption mitigates this issue from being exploited to compromise customer data.

Other components or versions of the Kaseya BYOD Suite are not affected.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.