Showing results for 
Search instead for 
Did you mean: 

CVE-2014-0160 and IronMail

Will McAfee release a statement as to whether IronMail (MEG) 6.7.2 is vulnerable to "Heartbleed" OpenSSL vulnerability?

(IronMail is EOL and unsupported as of 3/31/14.)

0 Kudos
2 Replies
Level 7

Re: CVE-2014-0160 and IronMail

I am still waiting on mcafee to give some info regarding 7.5.x

I have done some initial testing of 6.7.2 HF4+ and they appear to NOT be vulnerable thus far.  it looks like the openssl implementation is older, and thus doesnt present extension 15.

run the following from an external machine.

openssl s_client -connect smtp-server.domain.x:443 -tlsextdebug | grep 'heartbeat'

openssl s_client -connect secure-web-mail.domain.x:25 -starttls smtp -tlsextdebug | grep 'heartbeat'

doesnt show that openssl has extended extensions (meaning openssl is too old).

on version that support the extension (and thus needs additional checking to see if vulnerable) show as:

TLS server extension "heartbeat" (id=15), len=1

Level 12

Re: CVE-2014-0160 and IronMail

IronMail 6.7.2 HF7 still uses a much older version of openssl:

[ct_maint@im02 ~]$ openssl version

OpenSSL 0.9.8n 24 Mar 2010

Versions 1.0.0 and earlier do not have the vulnerability.

Out of the box, MEG 7.5 and 7.6 were vulnerable, but hotfixes have been released to address the issue. and respectively, both released April 11th.

0 Kudos