Would someone please send me the fix for this vulnerability?
There is no vulnerability to fix. Whatever auditing/scanning software you are using is incorrectly reporting these vulnerabilities.
I have read in Dell Response to Latest OpenSSL Security Advisory [05 Jun 2014] that idrac6 is not vulnerable but dell is working on fix for this vulnerability will not triggered by any scanner. Is this true?
Yes, it is correct that we are working to implement a firmware update to stop vulnerability scanners from incorrectly reporting these vulnerabilities.
I'm currently in the process of upgrading from firmware 1.54 to 1.97. Does firmware 1.97 build 2 have the fix?
No, the fix to stop the erroneous vulnerabilities from being reported by scanning software has not been released yet. I would suggest that you sign up for email updates for whatever product you are looking for updates on.
iDRAC version 6 is running OpenSSL version 1.0.0j which is vulnerable to CVE-2014-0224.
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
Daniel My
10 Elder
•
6.2K Posts
0
August 21st, 2014 15:00
Hello
There is no vulnerability to fix. Whatever auditing/scanning software you are using is incorrectly reporting these vulnerabilities.
Yes, it is correct that we are working to implement a firmware update to stop vulnerability scanners from incorrectly reporting these vulnerabilities.
No, the fix to stop the erroneous vulnerabilities from being reported by scanning software has not been released yet. I would suggest that you sign up for email updates for whatever product you are looking for updates on.
Thanks
bobbydigital3681
3 Posts
0
September 25th, 2014 10:00
iDRAC version 6 is running OpenSSL version 1.0.0j which is vulnerable to CVE-2014-0224.
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.