2 Replies Latest reply on May 17, 2014 1:52 AM by andyclements

    CVE-2014-0160 and IronMail

    bwemailsupport1

      Will McAfee release a statement as to whether IronMail (MEG) 6.7.2 is vulnerable to "Heartbleed" OpenSSL vulnerability?

       

       

      (IronMail is EOL and unsupported as of 3/31/14.)

        • 1. Re: CVE-2014-0160 and IronMail
          warchildx

          I am still waiting on mcafee to give some info regarding 7.5.x

           

          I have done some initial testing of 6.7.2 HF4+ and they appear to NOT be vulnerable thus far.  it looks like the openssl implementation is older, and thus doesnt present extension 15.

           

           

          run the following from an external machine.

          openssl s_client -connect smtp-server.domain.x:443 -tlsextdebug | grep 'heartbeat'

          openssl s_client -connect secure-web-mail.domain.x:25 -starttls smtp -tlsextdebug | grep 'heartbeat'

           

          doesnt show that openssl has extended extensions (meaning openssl is too old).

           

          on version that support the extension (and thus needs additional checking to see if vulnerable) show as:

          TLS server extension "heartbeat" (id=15), len=1



          1 of 1 people found this helpful
          • 2. Re: CVE-2014-0160 and IronMail
            andyclements

            IronMail 6.7.2 HF7 still uses a much older version of openssl:

            [ct_maint@im02 ~]$ openssl version
            OpenSSL 0.9.8n 24 Mar 2010
            

            Versions 1.0.0 and earlier do not have the vulnerability.

             

            Out of the box, MEG 7.5 and 7.6 were vulnerable, but hotfixes have been released to address the issue.  MEG-7.5h960401-2846.114.zip and MEG-7.6h960405-2810.114.zip respectively, both released April 11th.