|

Heartbleed Remediation

HeartbleedDear Customer,
Researchers have found a critical defect in versions 1.0.1 and 1.0.2-beta of OpenSSL, the cryptographic software library. For information on the vulnerability known as the "Heartbleed bug," see CVE-2014-0160 on the NIST website and heartbleed.com. Below are the status of Dell products. Dell is still investigating this issue and will continue to update this advisory as new information becomes available.

Dell SonicWALL Firewalls and Email Security Are Not Affected
Dell SonicWALL firewalls (TZ, NSA, E-Class NSA, SuperMassive) and Email Security are NOT affected by the vulnerability. Additionally, firewalls with an active Intrusion Prevention Service have, as of April 8th, 2014, signatures to protect vulnerable servers against the vulnerability including Secure Remote Access (SRA) products sitting behind the firewalls.
 
Dell SonicWALL SMB Secure Remote Access
SMB SRA Server Side Firmware7.0.0.10-26sv and all previous 7.0 versions
7.5.0.3-19sv and all previous 7.5 versions
ImpactVersions above are affected and should be patched immediately.
Recommended ActionUpgrade 7.0 to 7.0.0.11-27sv
Upgrade 7.5 to 7.5.0.4-21sv

E-Class SRA Server Software (Aventail)
Software version 10.6.4
Software versions 10.7.0 and 10.7.1
ImpactVersions above are affected and should be patched immediately.
Recommended ActionApply Hotfix 10.6.4-345
Apply Hotfix 10.7.0-582
Apply Hotfix 10.7.1-271

Global Management System (GMS) and Analyzer 7.2 on a Windows platform only
ImpactVersion above is affected and should be patched immediately.
Recommended ActionApply Hotfix 144490 to GMS 7.2 Windows and Analyzer 7.2 Windows systems using the procedure in the hotfix Release Note posted on MySonicWALL.com.

Dell KACE K3000 Mobile Device Management Appliance
Recommended ActionPatch is now available here: http://www.kace.com/support/resources/kb/solutiondetail?sol=SOL122931.

APM appliances
ImpactAPM appliances use OpenSSL versions where the Heartbleed vulnerability is present.
Recommended ActionAPM appliances rely on Java (Tomcat) for all SSL communications.
Since Tomcat and OpenSSH are unaffected by the Heartbleed vulnerability, no emergency hotfix is planned.

FxM appliances
ImpactFxM uses Apache and OpenSSL version 1.0.1f, which is impacted by the Heartbleed vulnerability. FxM versions prior to 5.6.5 would be unaffected.
Recommended ActionFXM-559 Emergency hotfixes are available:
version 5.6.5: https://support.software.dell.com/foglight-experience-monitor/kb/123141
version 5.6.6: https://support.software.dell.com/foglight-experience-monitor/kb/123142

Dell One Identity Manager
Data Governance Edition Classification Module
ImpactThe above software is impacted.
Recommended ActionDownload and install the 4/17/2014 release of Q1IM Data Governance Edition – Classification Module 6.1.2 available at: https://support.software.dell.com/identity-manager-data-governance-edition/download-new-releases
All other Dell One Identity products are unaffected.

Dell Cloud Manager
All Dell Cloud Manager systems have been patched, and we have very limited reason to believe that any of our data has been compromised. As a precaution, it is safer to proactively change your password.

PowerEdge M1000e
For the PowerEdge M1000e modular servers chassis, please see the table in Dell Networking Products section to confirm status of your specific networking IO modules.

Dell OpenManage Product Portfolio
Dell OpenManage Essentials 1.3 is affected; hotfix is available here: http://www.dell.com/support/drivers//us/en/555/driverdetails?driverid=17HHV

Dell Networking Products
PlatformVulnerableAffected ReleasesWorkaround Available
S4810YesE9.1.0.x, E9.2.0.x, E9.3.0.0E9.3(0.1) and E9.4(0.0P1) software releases include the fix and are available for download on the support pages.
S4820YesE9.1.0.x, E9.2.0.x, E9.3.0.0E9.3(0.1) and E9.4(0.0P1) software releases include the fix and are available for download on the support pages.
S5000YesE9.1.1.0Yes (see FTOS section)
S6000YesE9.3.0.0Yes (see FTOS section)
IOM (MXL)YesE9.2.0.x, E9.3.0.0Yes (see FTOS section)
Z9000YesE9.1.0.x, E9.2.0.x, E9.3.0.0Yes (see FTOS section)
Z9500YesSoftware fix will be released shortly.
W-SeriesYesArubaOS 6.3.x, 6.4.xYes (see W-series section)
W-ClearPassYesW-CPPM 6.1.2, 6.1.4, 6.2.1, 6.2.3, 6.2.4, 6.2.5, 6.3.0Yes (see W-series section)

Dell Networking OS (FTOS) Vulnerability Details and Solutions
Dell Networking Operating System (FTOS) software version E9.1.0.0 and later releases use OpenSSL version 1.0.1c and are vulnerable only when certain features are used/enabled. The following table provides details on susceptible features, affected releases, and available workarounds.
FeatureVersionVulnerabilityWorkaround
Bare Metal Provisioning(BMP)FTOS 9.1 – FTOS 9.3BMP provides zero-touch provisioning and allows switch to download FTOS image and/or configuration file from remote server.

When enabled, BMP feature is activated only during switch bootup and uses OpenSSL if users configure HTTPS as the file transfer server in the configuration of the remote DHCP server.
Disable BMP (reload-type normal-reload)
or
Change file-transfer server to FTP or TFTP in the configuration of the remote DHCP server.
Solution
Dell networking is diligently working to resolve the defect and release appropriate software patches for affected products. This advisory will be updated with fixed version details as new software releases for other platforms are made available to customers.

W-Series ArubaOS and W-ClearPass Vulnerability Details and Solutions
Impact
OpenSSL is used in a variety of ways in W-Series products, including:
  • HTTPS communications via the Administrative Web GUI
  • HTTPS communications via Captive Portals
  • Secure RADIUS communication
  • Secure communication with some third party APIs
CVSS v2 Base Score:5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Mitigation

As always, Dell recommends that best security practices are followed, including reduction of possible attack surface areas by use of access control methods such as network-level ACLs to restrict access. However, given the ubiquitous use of OpenSSL, this may not completely protect your infrastructure.

Solution
Dell has published patch releases for the affected W-Series products at: http://download.dell-pcw.com/. We highly recommend that all customers upgrade to these versions immediately.
  • W-Series ArubaOS 6.3.1.5
  • W-Series ArubaOS 6.4.0.3
  • W-ClearPass 6.1.4 OpenSSL fix Point Patch
  • W-ClearPass 6.2.6 Cumulative Patch
  • W-ClearPass 6.3.0 OpenSSL fix Point Patch
Given that there is a chance that key material may already have been compromised, we are further advising customers to consider replacing your certificates after the upgrade is completed.


Dell Storage Products
Storage FamilyProductOpenSSL VersionRecommended Action
EqualLogic PS SeriesStorage Arrays listed below running Firmware Version 7.0 are affected:

PS4000, PS-M4110
PS5000, PS5500E
PS6000, PS6010
PS6500, PS6510
PS4100, PS4110
PS6100, PS6110
PS6210
1.0.1eVersion 7.0.4 was released on April 23 and is available on the EQL web site: https://eqlsupport.dell.com.
Dell Compellent Series 40 ControllerStorage Center Firmware Versions 6.3.1, 6.3.2, 6.3.10, 6.4.1, 6.4.2, 6.4.3, 6.4.4 affected the following products:

Dell/Compellent 3.5" 6Gb SAS Enclosure (EBOD)
Dell/Compellent 2.5" 6Gb SAS Enclosure (EBOD)
Dell/Compellent 3.5" 3Gb SAS Enclosure (EBOD)
Dell/Compellent 3.5" 4Gb FC Enclosure (SBOD)
SC200 Expansion Enclosure
SC220 Expansion Enclosure
SC280 Dense Enclosure
Dell Compellent Flash-Optimized Solutions

6.3.1, 6.3.2, 6.3.10, 6.4.1, 6.4.2, 6.4.3, 6.4.4
1.0.1c and
1.0.1d
Storage Center Version 6.3.11 was released on April 22.
The fix for Storage Center Version 6.4 is targeted for 5/13
Dell Compellent SC8000 Storage Center ControllerStorage Center Firmware Versions 6.3.1, 6.3.2, 6.3.10, 6.4.1, 6.4.2, 6.4.3, 6.4.4 affected the following products:

SC200 Expansion Enclosure
SC220 Expansion Enclosure
SC280 Dense Enclosure
Dell Compellent Flash-Optimized Solutions
Dell/Compellent 3.5" 6Gb SAS Enclosure (EBOD)
Dell/Compellent 2.5" 6Gb SAS Enclosure (EBOD)
Dell/Compellent 3.5" 3Gb SAS Enclosure (EBOD)
Dell/Compellent 3.5" 4Gb SAS Enclosure (EBOD)

Versions 6.3.1, 6.3.2, 6.3.10, 6.4.1, 6.4.2, 6.4.3, 6.4.4
1.0.1c and
1.0.1d
Storage Center Version 6.3.11 was released on April 22.
The fix for Storage Center Version 6.4 is targeted for 5/13
Data ProtectionML60001.0.1eUpdated firmware with fix available on support.dell.com.
PowerVault MD Series ArraysDell PowerVault MD SMI-S provider1.01cPatch to is available to update OpenSSL version here: http://downloads.delltechcenter.com/PowerVault/MD/Dell_PV_MD_SMI-S_Heartbleed_Patch.zip


Operating Systems 
ProductOpenSSL VersionComments
VMware ESXi 5.5 / VMware vCenter Server 5.51.0.1Patches are available and can be downloaded here:
http://kb.vmware.com/kb/2076225
http://kb.vmware.com/kb/2076353
http://www.vmware.com/security/advisories/VMSA-2014-0004.html
Red Hat Enterprise Linux 6.51.0.1e-15.el6Patches are available and can be downloaded here: https://access.redhat.com/site/solutions/781793.

Note: Although our products are not directly vulnerable due to non-SSL usage, for general hygiene customers should update their OS to safeguard against this vulnerability.


Dell Printers and Printer Solutions
ProductOpenSSL versionRecommended Action
Dell B2360DN
Dell B3460DN
Dell B5460DN
Dell B3465DNF
Dell B5465DNF
1.0.1 through 1.0.1f
Dell Document HubAWS’s Elastic Load Balancing (ELB) uses OpenSSL and was affected. This has been fixed by Amazon http://aws.amazon.com/security/security-bulletins/aws-services-updated-to-address-openssl-vulnerability/.


Additional Affected Products
ProductOpenSSL VersionComments
Boomi Administrative and Supporting sites1.0.1ePatches have been applied and certificates reissued.
vRanger 7.01.0.1 and 1.0.1fUpdate to 7.0.1 or apply patch.
Dell Data Protection | Encryption - Remote Management Console Virtual Edition1.0.1
vProTBD
Host-based Software MD SMI-S Provider1.0.1c


More Information
Due to the impact of the OpenSSL vulnerability, products with affected versions can expose user passwords and private keys. Customers may consider resetting passwords and changing keys after patching.

References:


Dell Products Not Affected
Dell does not consider CVE-2014-0160 to be a security vulnerability for the following products:
iDRAC6 & earlier
iDRAC7
Dell Chassis Management Controller CMC 3.2 & earlier
Dell Chassis Management Controller CMCCMC 4.5 & later
Dell OpenManage Power Center (OMPC)
OpenManage Integration for VMware vCenter
Dell License Manager
Dell Management Console
Dell OpenManage Essentials version 1.2 or prior
Dell Connectors for CA/IBM/HP
Dell Plug-in for Oracle Enterprise Manager
Dell OpenManage Mobile (OMM)
Dell LifeCycle Controller
Tejas (DLCI for SCVMM)
Dell Open Manage Server Administrator (OMSA)
DTK
SBUU
Dell Repository Manager
ESXi 5.1 Update 2
Red Hat Enterprise Linux 5.9
SUSE Linux Enterprise Server 11 SP3
FluidCache
Micron SSD
Samsung SSD
Fusion I/O SSD
Software RAID ( S1xx & S3xx series )
PERC MSM
PERC SNMP
PERC SMIS
PERC SL/SLIR
PERC StoreCli
PERC MegaCli
Intel, Broadcom, Emulex, Brocade, Qlogic, Mellanox — NDC & NICs in all PowerEdge Servers (racks +blades)
IOMs (Network Switches &IOA) in PowerEdge M1000e Chassis -- All except IOM (MXL) [Applies only to Blades]
Scalent (AIM)
VIS Creator
HIT/ME 4.7 EPA
HIT/ME 4.5
HIT/ME 4.0
HIT / Linux
VMware ESX MPIO
Phone Home
FluidFS (FS8600, 7600, 7610, 7500)
NX3600, 3610, 3500
SAN Headquarters (SAN HQ)
Dell OpenManage
  • Dell Open Manage Server Administrator [OMSA]
  • Dell Chassis Management Controller (CMC)
  • Dell LifeCycle Controller
  • Dell OpenManage Integration for VMware vCenter
  • Dell Repository Manager
  • Dell OpenManage Power Center
  • Dell Connectors for CA/IBM/HP
  • Dell License Manager
  • Dell Management Console
  • Dell OpenManage Mobile
  • Dell OpenManage Essentials version 1.2 or prior
  • Dell Plug-in for Oracle Enterprise Manager
Series 10 Controller
  • EN-FC2X16 : Compellent 16 bay W/FC Interface
  • EN-SA2X16 : Compellent Enclosure, SATA, 2Gb, 16 bay
  • Version 5.x
Series 20 Controller
  • EN-FC2X16 : Compellent 16 bay W/FC Interface
  • EN-SA2X16 : Compellent Enclosure, SATA, 2Gb, 16 bay
  • EN-SB4X16 : Dell/Compellent 3.5" 4Gb FC Enclosure (SBOD)
  • Version 5.x
Series 30 Controller
  • EN-FC2X16 : Compellent 16 bay W/FC Interface
  • EN-SA2X16: Compellent Enclosure, SATA, 2Gb, 16 bay;
  • EN-SB4X16 : Dell/Compellent 3.5" 4Gb FC Enclosure (SBOD)
  • EN-SAS3-1235 : Dell/Compellent 3.5" 3Gb SAS Enclosure (EBOD)
  • EN-SAS6-1235 : Dell/Compellent 3.5" 6Gb SAS Enclosure (EBOD)
  • Version 5.x
Series 40 controller
  • Dell/Compellent 3.5" 6Gb SAS Enclosure (EBOD)
  • Dell/Compellent 2.5" 6Gb SAS Enclosure (EBOD)
  • Dell/Compellent 3.5" 3Gb SAS Enclosure (EBOD)
  • Dell/Compellent 3.5" 4Gb FC Enclosure (SBOD)
  • SC200 Expansion Enclosure
  • SC220 Expansion Enclosure
  • Versions 5.x, 6.0.6.1.,6.2
Dell Compellent SC8000 Storage Center Controller
  • SC200 Expansion Enclosure
  • SC220 Expansion Enclosure
  • SC280 Dense Enclosure
  • Dell Compellent Flash-Optimized Solutions
  • Dell/Compellent 3.5" 6Gb SAS Enclosure (EBOD)
  • Dell/Compellent 2.5" 6Gb SAS Enclosure (EBOD)
  • Dell/Compellent 3.5" 3Gb SAS Enclosure (EBOD)
  • Dell/Compellent 3.5" 4Gb SAS Enclosure (EBOD)
  • Versions 6.0, 6.1, 6.2
Compellent Replay Manager
Compellent vSphere Native Client Plugin
Compellent Solution Pack for vCenter Operations Manager (vCOPS)
Compellent PowerShell Cmd-Set
Compellent Enterprise Manager (Data Collector, Client and Server agent)
Commvault Simpana
CompCU
vSphere Web Client Plugin
SCOM Management Pack v2 and v3
Microsoft System Center Virtual Machine Manager (Used in SMI-S API)
VMWAre ASA
VMware VAAI Plugin
VMware Site Recovery Manager Site Replication Adapter SRA
MPIO – Windows
MPIO – AIX
Citrix Storage Link
124T
TL2000/TL4000
EKM 3.0
LTO5 service port - int/ext/114
LTO6 service port - int/ext/114X
LTO4 - int/ext/114X
RD1000
PowerVault JBODs (MD12xx, MD3060e)
PowerVault DL/DR products - AppAssure based
Windows server storage based products (NXxxxx)
S25
S50
S55
S60
IOA
C-Series
E-Series
PCM6220
PCM6348
PCM8024
PCM8024K
PC28xx
PC35xx
PC55xx
PC62xx
PC70xx
PC8024
PC80xx
PC8100
N20xx
N30xx
N40xx
OMNM
Active Fabric Manager (AFM)
Active Fabric Controller (AFC)
Brocade OEM Series
Cisco Nexus B22DELL Blade Fabric Extender
Cisco CBS 3032/3030/3130 For Dell
Quest Identity Manager
Quest ActiveRoles Server
Quest Quick Connect
Quest Password Manager
Quest Privileged Password Manager
Quest Privileged Session Manager
Quest Defender
Quest Privileged Access Suite for Unix (Authentication Services, Privileged Manager for Unix, Privileged Manager for Sudo)
Quest Cloud Access Manager
Quest Enterprise Single Sign-on
Quest Webthority
Quest Foglight FMS
Quest APM appliances
Quest Foglight FxV
Boomi Production sites
All AppAssure
NetVault
DR Appliance
DL Appliance
LiteSpeed
Dell PowerEdge Servers
Dell PowerEdge VRTX
Dell PowerEdge C Servers
Dell PowerEdge Data Center Solution Servers
All StatSoft
Toad Oracle
Toad SQL
SharePlex
Toad Intelligence Manager
DR4000
Dell Data Protection | Encryption Products:
  • DDP | Enterprise Edition
  • DDP | Personal Edition
  • DDP | Bitlocker Manager
  • DDP | Cloud Edition
  • DDP | Mobile Edition
  • DDP | External Media Edition
  • DDP | Server
  • DDP | Enterprise Server - Virtual Edition
Dell Data Protection | Encryption - Security Tools
Dell Data Protection | Encryption - Protected Workspace
Dell Client System Management tools
Wyse WTOS, Xenith
Wyse Suse Linux
Wyse Ubuntu Linux
Wyse WES family
Wyse P Class (PCOIP)
Wyse CloudConnect (Android OS)
Wyse WTOS Agent
Wyse SUSE Agent
Wyse Ubuntu Agent
Wyse WES Agent
Wyse Merlin Imaging
Wyse Remote Repository
Wyse Server
Wyse Client
Wyse On-premise gateway
Wyse Android Agent
Wyse IOS
Wyse SDK (Workspace, PocketCloud)
Wyse WTOS
KACE 1000
KACE 2000
FileUpload Services
DSET - Windows
DSET - Linux
Lasso Services
SupportAssist - OME
SupportAssist - SCOM
SupportAssist - Server
APIs - eAPIs
TechDirect
FileUpload Portal Services
All SecureWorks
MD3000/i, MD32xx, MD36xx, MD34xx, MD38xx, MD39xx, MD3060e MD Array I/O Ports
Host-based Software MD Storage Manager (MD3000/MD3000i)
Host-based Software MD Storage Manager (MD32xx/MD34xx/MD36xx/MD38xx)
Host-based Software SMCli.exe
Host-based Software MD Configuration Utility
Host-based Software MD Storage HW VDS/VSS Provider
Host-based Software SMAgent Windows Service
Host-based Software SMrepassist.exe
Host-based Software VMware vCenter Plug-in for MD Series Storage Arrays
Host-based Software Dell MD Storage Array VMware vStorage APIs for Storage Awareness Provider
Host-based Software Dell MD-Series Storage Array Storage Replication Adapter
Client BIOS
Dell MessageOne Products:
  • EMS Continuity
  • EMS Archive
  • EMS Security
  • AlertFind
Crowbar


Operating Systems Not Affected
Dell does not consider CVE-2014-0160 to be a security vulnerability for the following operating systems:
ESXi 5.1 Update 2
Red Hat Enterprise Linux 5.9
SUSE Linux Enterprise Server 11 SP3
Windows Server 2003 and 2003R2
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2