Over Two Dozen VMware Products Affected by Heartbleed

VMware promises to patch products affected by Heartbleed by April 19

VMware says that more than two dozen of its products are affected by the recently disclosed OpenSSL vulnerability dubbed Heartbleed. The company plans to release updates and patches for the impacted products by April 19.

The list of VMware products shipped with OpenSSL 1.0.1, which contains the Heartbleed bug, includes ESXi 5.5, NSX-MH 4.x, NSX-V 6.0.x, NVP 3.x, vCenter Server 5.5, vFabric Web Server 5.0.x – 5.3.x, VMware Fusion 6.0.x, VMware OVF Tool 3.5.0.

Several VMware Horizon View, VMware Horizon Workspace and VMware vCloud versions are also affected.

“The VMware Security and Engineering teams are working on remediation for the VMware products that have been impacted. VMware is acutely aware of the seriousness of the Heartbleed vulnerability, and all available resources are being directed toward a resolution amidst this industry-wide situation,” the company noted in its advisory.

Heartbleed is causing problems for many major companies. Last week, Akamai released a patch that was designed to protect organizations against potential attacks. However, experts shortly discovered that the patch was not completely efficient.

“In short: we had a bug. An RSA key has 6 critical values; our code would only attempt to protect 3 parts of the secret key, but does not protect 3 others. In particular, we only try to protect d, p, and q, but not d mod (p-1), d mod (q-1), or q^{-1} mod p,” explained Akamai Chief Security Officer Andy Ellis.

“These intermediate extra values (the Chinese Remainder Theorem, or CRT, values) are calculated at key-generation time as a performance improvement,” Ellis added.

“As the CRT values were not stored in the secure memory area, the possibility exists that these critical values for the SSL keys could have been exposed to an adversary exploiting the Heartbleed vulnerability. Given any CRT value, it is possible to calculate all 6 critical values.”

Akamai has started rotating all SSL certificates to make sure that the company’s customers are protected.

In the meantime, Trend Micro has analyzed the impact of Heartbleed on the Deep Web. Experts say that many Tor hidden services are affected by the OpenSSL vulnerability, so their customers are just as concerned about the integrity of their data as regular Internet users.

“You can rest assured that law enforcement will be scanning potential ecosystems that are potential anonymous criminal networks. This will be an attempt to discern if they might be able shine a bright lens on communities thought to be untraceable but now equally vulnerable due to this pervasive bug in OpenSSL,” noted Trend Micro’s JD Sherry.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s