Monthly Archives: September 2014

ESET

Bitcoin creator – could he be ‘outed’ after email ransom?

Leave a comment

Bitcoin creator ‘Satoshi Nakamoto’ – a pseudonym – could be about to have his identity made public, after a series of odd emails from the address that has been his only point of contact with the world after he ‘went dark’ in 2011, according to a report in Forbes.

Someone claiming to be a hacker has access to “[email protected]”, and has posted a threat to Pastebin, saying that he would “de-anonymize” the mysterious Bitcoin creator for a ransom of 25 Bitcoins.

The threat says, “Releasing the so called “gods” dox if my address hits 25 BTC.And no, this is not a scam.” A series of mysterious emails from the Bitcoin creator’s supposed address, reported by Vice.com, have done little to clear up the mystery.

A test email from We Live Security found that the address is now delivering a “mailbox unavailable” error message.

Bitcoin creator: Mystery emails

One colleague received a threat to “hitman” him from the account, which Forbes reports drily as not being in the “usual style” of the cryptocurrency founder.

The identity of ‘Satoshi Nakamoto’ who handed over control of the site to a developer nearly four years ago, has been hot property since Newseek incorrectly identified a man, Dorian Nakamoto, as beeing the mysterious developer of the cryptocurrency.

Forbes reports that the email address has lain dormant since 2011, since ‘Nakamoto’ ceased corresponding with people via the address. The magazine speculates that the GMX.com addresss may have fallen dormant through disuse, and been opened up to another user, as GMX’s terms of service specify that accounts can be “terminated” after that time.

Threat to “hitman” colleague

Things got yet more mysterious when two separate people appeared to correspond with Motherboard at Vice from the same address. One sent a screenshot showing an Inbox with 11,000 emails.

The site writes, “Motherboard was able to communicate with two individuals who have access to Nakamoto’s old email address. The first said he was only browsing Nakamoto’s for fun. The second not only claimed to be the real hacker of the account, but also said the first person we spoke with was Nakamoto himself.”

The series of emails, chronicled by Vice, become increasingly cryptic as the supposed hacker denies he is associated with the Pastebin post.

One of the concluding emails thickens the plot still further. Asked if he is sure that the other individual with access is definitely Satoshi, the hacker replies, “Satoshi is smart and will have tried to put the people looking for him on the wrong path. This is why I can’t be sure.”

The post Bitcoin creator – could he be ‘outed’ after email ransom? appeared first on We Live Security.

ESET

Nude Celebs, Target, Home Depot: Who is to blame? Criminals!

Leave a comment

Celebgate, the leaking of nude photos of celebrities from iCloud that started in August, continues to make headlines but now has competition from another big cybercrime story. The compromise of payment card data at Home Depot is emerging under headlines that make comparisons with another huge retail breach, as in: “bigger than Target?” What’s the connection between the sleazy creeps who hack private online storage accounts to share the contents thereof and folks who hack into point-of-sale systems to steal and sell payment card data? They are all criminals, a fact that is too often overlooked in the angry aftermath of the data breach du jour.

Blaming Cybercrime Victims

As the Celebgate story was emerging I received an interview request from a journalist with the Hungarian edition of CHIP magazine. His first question was: “Who’s responsible for the latest Apple iCloud ‘celebrity nude pictures leak’ scandal and why?” My response went something like this: The correct answer to this question is people, not technology. I continued:

The creepy people who stole the pictures are the ones responsible for this scandal and they should be held accountable. For some strange reason, the world tends to approach computer security differently from physical security. If you forget to lock your car, that does not make you responsible for it being stolen. The car thief is clearly the only person truly responsible. To think that any party other than the sleazy criminals who exposed private information is responsible is to condone their actions.

I was not just saying this to differentiate my analysis from that of actress and Celebgate victim Kirsten Dunst. I’m sure most people have seen headlines like this: “Kirsten Dunst Slams Apple After Alleged Nude Photo Leak: blames iCloud for photo hacking” (Hollywood Life). Much as I admire Ms. Dunst as an actress and sympathize with her entirely justified outrage at this incident, I don’t agree that Apple is to blame, any more than I would blame BMW if my car was stolen. Of course, any company whose business model involves handling sensitive private information has a responsibility to protect it. But persons who work to defeat those protections and then violate the privacy of that information are, in that case, the persons to blame, the responsible party. We must not forget that Target and Home Depot are victims of cybercrime, just as Ms. Dunst and other celebrities whose private photos were exposed are victims of cybercrime, whatever the passwords protecting their accounts happened to be.

To think that any party other than the sleazy criminals who exposed private information is responsible is to condone their actions. I say this because to say otherwise is to go down a road best avoided. Consider Apple’s reaction to Celebgate: they have instituted improved security measures. What if we fast forward 12 months and hear that, once again, a determined group of sick-minded perverts has defeated those enhanced security measures and exposed another batch of private pictures. Is Apple still responsible? Before you answer, let’s consider the Home Depot hack. Reports so far indicate that the criminals used an enhanced version of the malware deployed to steal tens of millions of payment card records from Target stores. The response from Target includes a commitment to use EMV cards in the future. EMV cards contain a chip and are much harder for criminals to replicate, making the conversion of stolen card data into cash more challenging. But notice that I’m saying “harder, more challenging” but not impossible.

In other words, unless human nature experiences a sudden and unprecedented global upgrade, some people somewhere will always be trying to defeat security measures for their own ends. A certain number will always succeed, so the trick is to reduce that number. And that is why societies put in place policies and allocate resources to deter criminal activity, notably through the detection, identification, apprehension, prosecution, and punishment of persons deemed to be criminal perpetrators. If any party other than the criminals is to blame for Celebgate and the Target and Home Depot hacks I would say it is society for failing to devote enough resources to the deterrence of cybercrime.

Cybercrime and Society

Sure, many companies and consumers could do a better job of protecting the information systems they use, from changing the default password on point of sale devices, to using stronger passwords on our accounts than 123456 (which recently replaced password as the most widely used password, according to an analysis of millions of compromised records – see this paper on password advice to choose something better).

In recent years a lot of useful advice on how to improve our digital security has been made freely available. The federal government publishes a wide range of guides to best practices, including the comprehensive Framework for Improving Critical Infrastructure Cybersecurity from NIST (the National institute of Standards and Technology).

So why don’t more organizations do a better job at security? There are many reasons, cost being the most obvious, but failing to fit your front door with an expensive pick-proof lock does not make you responsible for a burglary or home invasion; there seems to be broad consensus that responsibility for those crimes rests with any criminal who chooses to violate your physical space. Violations of private virtual space should be considered equally criminal, and violators should be vigorously pursued.

America has well-established measures in place for responding to such physical crimes, from tracking down the perpetrators to arresting, prosecuting, and punishing them. And America’s efforts to deter traditional physical crime appear to be effective when you look at the number of bank robberies each year and the average amount of loot they yield. Both numbers are gradually declining: from 7,644 incidents yielding an average of $10,000 in 2003 to 5,086 incidents yielding $7,539 in 2011 (based on FBI reporting).

When it comes to computer fraud, the graph is a steep line going in the opposite direction: up from $125 million in 2003 to $781 million in 2013 (based on Internet Crime Complaint Center reporting, in conjunction with the FBI). So where is the effort to deter cybercrime? And where is it located on the list of national priorities? Clearly there are some law enforcement resources devoted to catching and prosecuting cybercriminals. We have seen a number of high profile arrests already this year (and I expect to see more). I have seen some very impressive computer forensics conducted by law enforcement at the local, national, and international levels.

What I don’t see are sufficient resources deployed to fight cybercrime at anything like the scale on which such crime is being conducted. In no way is this a criticism of the folks in the field who are knocking on doors and dissecting hard drives. I just don’t think there are enough of them. An in-depth academic study of cybercrime put the annual global law enforcement spend on the fight against cybercrime at $400 million in 2010 (Anderson, Barton, Bohme, Clayton, van Eeten, Levi, Moore, Savage. 2012). In speaking with one of the authors of that study, I found that about half of that figure, $200 million, was U.S. spending. Compare that to the FBI’s total budget request for fiscal year 2015: $8.3 billion.

Now compare that number to the $21 billion budget for the espionage activities of the NSA/NRO, which is on top of the $14.7 billion we shell out for whatever the CIA does these days. Now look at the staffing levels funded in the 2015 FBI budget request: 34,970 permanent positions including 13,050 special agents. Compare that with the FBI’s 2014 request for $8.4 billion to cover 34,787 permanent positions including 13,082 special agents. By my count, that $100 million less in spending, and a reduction in force of 32 special agents.

I’m a security professional and not a budget analyst, but to me those numbers don’t seem consistent with a firm national resolve to tackle cybercrime. So, speaking as a security professional, I suggest that the next time a major IT security breach hits the headlines, we take a break from blaming the victims, and that includes people who use weak passwords on their accounts or companies who have holes in their security systems. Let’s put some of that anger and outrage into lobbying our government to take more decisive action against cybercrime and the people who perpetrate it.

Disagree? Leave a comment and let me know what you think. BTW, here’s a link to the FBI’s most wanted cyber criminal page.
 

The post Nude Celebs, Target, Home Depot: Who is to blame? Criminals! appeared first on We Live Security.

Panda Security

Facebook offers a new tool for configuring privacy

Leave a comment

privacy facebook

As Facebook is always changing, keeping your profile private and secure is a complicated and time consuming task. The social network therefore, aware that this could put many users off sharing their news with contacts, has developed a new tool to simplify the job.

With this new feature, a friendly blue dinosaur helps you to quickly and simply check which of your contacts can see your latest posts.

To access it you have to click the padlock symbol in the top right of the screen and select “Privacy checkup

facebook privacy check - up

A dialog box then opens with three simple steps.

How to configure privacy settings in Facebook

  1. The first option lets you control who can see your posts when you update your status from the news section or from the wall. As well as telling you the current settings, you can also change them to suit your preferences

facebook privacy check - up posts

  1. The next step displays a list of all the applications that can access your profile and information. Here you can also prevent this access if you no longer use the application in question. What’s more you can see which of your contacts can see posts that the applications publish ​​in your name.

facebook privacy check - up apps

  1. Finally, Facebook helps you check which personal information you’re sharing on your profile: your job, school and college background, where you live … you can add or delete data and restrict access to it.

facebook privacy check - up profile

Although none of these settings prevent Facebook from using your personal information for advertising, it can help you know which contacts can see which posts.

At present this help feature does not include settings for albums or photos as a profile or homepage, which you will have to check directly.

If after meeting Facebook’s new dinosaur you still have questions about the privacy settings of your profile, you can always check our guide.

More | Facebook Privacy Guide

 

The post Facebook offers a new tool for configuring privacy appeared first on MediaCenter Panda Security.

ESET

Online ad threat – Yahoo, Amazon, YouTube ‘victims of malvertising’

Leave a comment

Anyone who has visited popular domains such as YouTube.com, Amazon.com or Ads.Yahoo.com could be a victim of a new, mutating malware attack distributed through the online ad network adverts displayed on the sites, according to a new blog by networking specialist Cisco.

The blog describes how the online ad malware (which comes in two forms, one for PC, one for Mac), is distributed via online advertising networks – basically by conning one of the large companies whose ads are seen on thousands of sites into forwarding an ad with a malicious payload.

The Register describes the process as, “The high-profile serving domains – along with many others – are, of course, receiving the “malvertising” from online ad networks that have been tricked into hosting the attack content.”

Online ad threat: How it works

The Cisco bloggers say that a number of major domains, listed in their original blog post, have been affected by the current attack. The attack has been nicknamed Kyle and Stan, due to the naming scheme of the subdomains within the group – “stan.mxp2099.com” and “kyle.mxp2038.com”.

Threatpost reports that the likely size of the attack is probably much larger than the 700 domains analyzed by Cisco, and says, “700 domains and nearly 10,000 users have hit these domains and been exposed to the malicious advertisements.”

Threatpost points out that the attack vector is not new – the New York Times has previously fallen victim to a malvertising campaign – but that ‘Kyle and Stan’ takes a unique approach.

Cisco says that the attack delivers a unique malicious payload for every visitor, packaged with a legitimate media player, and a piece of malware which is tailored to each user.

 “Extremely effective attack”

“The idea is very simple: use online advertising to spread malware. This attack form is not new, but extremely effective,” Cisco says.

“The world of online ads has only a few major players. If an attacker can get one of those major online ad networks to display an advertisement with a malicious payload just for a few minutes without being detected, then countless machines can be infected by such an attack.”

The attack comes in various forms, Cisco reports, but so far relies on pure social-engineering, rather than ‘drive-by downloads’ where users who don’t click are infected. Different malware packages are delivered according to platform and user, and the attack is evolving, the bloggers warn.

A discussion of the murky world of malvertising, adware and ‘badware’ by ESET researcher Joan Calvet can be found here.

The post Online ad threat – Yahoo, Amazon, YouTube ‘victims of malvertising’ appeared first on We Live Security.

Redhat

TLS landscape

Leave a comment

Transport Layer Security (TLS) or, as it was known in the beginnings of the Internet, Secure Sockets Layer (SSL) is the technology responsible for securing communications between different devices. It is used everyday by nearly everyone using the globe-spanning network.

Let’s take a closer look at how TLS is used by servers that underpin the World Wide Web and how the promise of security is actually executed.

Adoption

Hyper Text Transfer Protocol (HTTP) in versions 1.1 and older make encryption (thus use of TLS) optional. Given that the upcoming HTTP 2.0 will require use of TLS and that Google now uses the HTTPS in its ranking algorithm, it is expected that many sites will become TLS-enabled.

Surveying the Alexa top 1 million sites, most domains still don’t provide secure communication channel for their users.

Just under 40% of HTTP servers support TLS or SSL and present valid certificates.

Just under 40% of HTTP servers support TLS or SSL and present valid certificates.

Additionally, if we look at the version of the protocol supported by the servers most don’t support the newest (and most secure) version of the protocol TLSv1.2.  Of more concern is the number of sites that support the completely insecure SSLv2 protocol.

Only half of HTTPS servers support TLS 1.2

Only half of HTTPS servers support TLS 1.2

(There are no results for SSLv2 for first 3 months because of error in software that was collecting data.)

One of the newest and most secure ciphers available in TLS is Advanced Encryption Standard (AES) in Galois/Counter Mode (AES-GCM). Those ciphers provide good security, resiliency against known attacks (BEAST and Lucky13), and very good performance for machines with hardware accelerators for them (modern Intel and AMD CPUs, upcoming ARM).

Unfortunately, it is growing a bit slower than TLS adoption in general, which means that some of the newly deployed servers aren’t using new cryptographic libraries or are configured to not use all of their functions.

Only 40% of TLS web servers support AES-GCM ciphersuites.

Only 40% of TLS web servers support AES-GCM ciphersuites.

Bad recommendations

A few years back, a weakness in TLS 1.0 and SSL 3 was shown to be exploitable in the BEAST attack. The recommended workaround for it was to use RC4-based ciphers. Unfortunately, we later learned that the RC4 cipher is much weaker than it was previously estimated. As the vulnerability that allowed BEAST was fixed in TLSv1.1, using RC4 ciphers with new protocol versions was always unnecessary. Additionally, now all major clients have implemented workarounds for this attack, which currently makes using RC4 a bad idea.

Unfortunately, many servers prefer RC4 and some (~1%) actually support only RC4.  This makes it impossible to disable this weak cipher on client side to force the rest of servers (nearly 19%) to use different cipher suite.

RC4 is still used with more than 18% of HTTPS servers.

RC4 is still used with more than 18% of HTTPS servers.

The other common issue, is that many certificates are still signed using the obsolete SHA-1. This is mostly caused by backwards compatibility with clients like Windows XP pre SP2 and old phones.

SHA-256 certificates only recently started growing in numbers

SHA-256 certificates only recently started growing in numbers

The sudden increase in the SHA-256 between April and May was caused by re-issuance of certificates in the wake of Heartbleed.

Bad configuration

Many servers also support insecure cipher suites. In the latest scan over 3.5% of servers support some cipher suites that uses AECDH key exchange, which is completely insecure against man in the middle attacks. Many servers also support single DES (around 15%) and export grade cipher suites (around 15%). In total, around 20% of servers support some kind of broken cipher suite.

While correctly implemented SSLv3 and later shouldn’t allow negotiation of those weak ciphers if stronger ones are supported by both client and server, at least one commonly used implementation had a vulnerability that did allow for changing the cipher suite to arbitrary one commonly supported by both client and server. That’s why it is important to occasionally clean up list of supported ciphers, both on server and client side.

Forward secrecy

Forward secrecy, also known as perfect forward secrecy (PFS), is a property of a cipher suite that makes it impossible to decrypt communication between client and server when the attacker knows the server’s private key. It also protects old communication in case the private key is leaked or stolen. That’s why it is such a desirable property.

The good news is that most servers (over 60%) not only support, but will actually negotiate cipher suites that provide forward secrecy with clients that support it. The used types are split essentially between 1024 bit DHE and 256 bit ECDHE, scoring respectively 29% and 33% of all servers in latest scan. The amount of servers that do negotiate PFS enabled cipher suites is also steadily growing.

PFS support among TLS-enabled HTTP servers

PFS support among TLS-enabled HTTP servers

Summary

Most Internet facing servers are badly configured, sometimes it is caused by lack of functionality in software, like in case of old Apache 2.2.x releases that don’t support ECDHE key exchange, and sometimes because of side effects of using new software with old configuration (many configuration tutorials suggested using !ADH in cipher string to disable anonymous cipher suites, that unfortunately doesn’t disable anonymous Elliptic Curve version of DH – AECDH, for that, use of !aNULL is necessary).

Thankfully, the situation seems to be improving, unfortunately rather slowly.

If you’re an administrator of a server, consider enabling TLS.  Performance issues when encryption was slow and taxing on servers are long gone. If you already use TLS, double check your configuration preferably using the Mozilla guide to server configuration as it is regularly updated. Make sure you enable PFS cipher suites and put them above non-PFS ciphers and that you as well as the Certificate Authority you’ve chosen, use modern crypto (SHA-2) and large key sizes (at least 2048 bit RSA).

If you’re a user of a server and you’ve noticed that the server doesn’t use correct configuration, try contacting the administrator – he may have just forgotten about it.

ESET

Virus Bulletin, AVAR conferences: a tasty Conference Pair*

Leave a comment

It’s that time of year. That is, the time for two of my favourite security conferences: Virus Bulletin and AVAR.

Sadly, I’m unable to attend the 2014 Virus Bulletin conference, taking place in Seattle 24th-26th September, but there’s a healthy sprinkling of ESET researchers on the programme, which now includes information on the seven last-minute presentations.

On Wednesday 24th at 11.30, ESET Canada’s Pierre-Marc Bureau co-presents a paper with Evgeny Sidorov and Konstantin Otrashkevich from the Yandex Safe Search team on Ebury and CDorked. Full disclosure. This is an area ESET research blogging has focused on for quite a while.

Also on Wednesday, at 14.30, ESET Canada researcher Jean-Ian Boutin presents his paper about The evolution of webinjects. And at 17.00, Matias Porolli and Pablo Ramos deliver a presentation about Brazilian malware trends: CPL in the spotlight.

On Thursday 25th at 12.00, it’s the turn of Robert Lipovsky and Anton Cherepanov with their last minute paper on Back in BlackEnergy: 2014 targeted attacks in the Ukraine and Poland.

And among the four reserve papers you’ll find Bootkits: past, present & future, written by ESET’s Eugene Rodionov, Intel’s Aleksandr Matrosov (formerly of ESET), and myself: this is my 15th Virus Bulletin conference paper. 🙂 Because it’s a reserve paper, it’s not in the programme, but if needed, it will be presented by Eugene and Alex. It’s partly based on research for their forthcoming book on bootkits, to which I’m delighted to be making a small contribution.

There are, of course, lots of other presentations I’d love to have heard: here are just a few of those that strike me as being particularly interesting:

This is the first time I’ll have missed a VB since 2007 (I have been to 14 since 1996, though, so I can’t complain too bitterly), and I’ll miss the face-to-face contact with all my friends inside and outside the security industry (not to mention the VB team), but I hope to make the next one in 2015. And I am looking forward to my first AVAR in several years. Again, ESET will be well-represented.

  • Peter Kosinar presents his paper on Stealing the internet, one router at a time
  • Sébastien Duquette presents his paper on Exploitation of CVE-2014-1761 in targeted attack campaigns
  • I’ll be presenting my paper with Sebastian Bortnik on Lemming Aid and Kool Aid: Helping the Communityto help itself through Education

Unfortunately, there are no abstracts to link to at the moment, but there will be plenty of speakers there from other sectors of the security community who can be relied on to deliver good presentations.

*Yes, it’s another fruitful Harley pun.

David Harley
ESET Research Fellow

The post Virus Bulletin, AVAR conferences: a tasty Conference Pair* appeared first on We Live Security.

AVG

AVG makes privacy crystal clear with Short Privacy Notice

Leave a comment

In our connected world, mobile technology is an integral part of daily living. Apps help us find the stores we are looking for, meet our friends at the right time and place, and keep us safe online. We trust these apps with our personal information in exchange for these services, which are often free. Sometimes we share sensitive information with the app in order to optimize that service. But do we ever think about what these apps do with the data they collect, and do we really know why they collect it?

At AVG, we believe that building trust in relationships is important. Transparency is a key element to build that trust which means you have to know what’s going with the data behind the app. The mobile environment is even more challenging because of the limited space and form factor. We’ve been innovating in this area to better show users what data is collected and how it is used. We’ve done this with initially with a Short Data Privacy Notice that tells our customers in a clear, straightforward, and transparent way what our apps collect and share in an easy to read form. Today I am delighted to tell you that the AVG Short Data Privacy Notice has been launched on our following apps:  AVG AntiVirus FREE for Android, AVG Privacy Fix and AVG Cleaner for Android. Overtime we expect this approach will become the standard in mobile and desktop environments.

This simple-to-use feature is accessed from the corner menu of the app main screen. To ensure full transparency for all our customers, we still give quick and easy access to our full privacy policy notice at the bottom of each page of the AVG Short Data Privacy Notice.

spn1

In the video below, AVG’s Chief Legal Officer Harvey Anderson explains how to use the AVG Short Data Privacy Notice and what we disclose to you through it.

Microsft

MS14-016 – Important: Vulnerability in Security Account Manager Remote (SAMR) Protocol Could Allow Security Feature Bypass (2934418) – Version: 1.2

Leave a comment

Severity Rating: Important
Revision Note: V1.2 (September 10, 2014): Revised Update FAQ and entries in the Operating System column of the Affected Software table to further clarify what version of Active Directory must be installed on a system to be offered the update. These are informational changes only.
Summary: This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker makes multiple attempts to match passwords to a username.

Security

Adobe Releases Security Updates for Flash Player and Air

Leave a comment

Original release date: September 09, 2014

Adobe has released security updates to address multiple vulnerabilities in Adobe Flash Player and Air for Windows, Macintosh and Linux. Exploitation of these vulnerabilities could potentially allow an attacker to take control of the affected system.
 
Users and administrators are encouraged to review Adobe Security Bulletin APSB14-21 and apply the necessary updates.
 

 

This product is provided subject to this Notification and this Privacy & Use policy.

VMWare

UPDATED: VMSA-2014-0006.10 – VMware product updates address OpenSSL security vulnerabilities

Leave a comment 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2014-0006.10
Synopsis:    VMware product updates address OpenSSL
             security vulnerabilities
Issue date:  2014-06-10
Updated on:  2014-09-09
CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and
             CVE-2014-3470
- -----------------------------------------------------------------------

1. Summary

   VMware product updates address OpenSSL security vulnerabilities.

2. Relevant Releases

   Big Data Extensions prior to 2.0.0

   ESXi 5.5 without patch ESXi550-201406401-SG
   ESXi 5.1 without patch ESXi510-201406401-SG
   ESXi 5.0 without patch ESXi500-201407401-SG

   Workstation 10.x prior to 10.0.3
   Workstation 9.x prior to 9.0.4

   Player 6.x prior to 6.0.3
   Player 5.x prior to 5.0.4

   Fusion 6.x prior to 6.0.4
   Fusion 5.x prior to 5.0.5

   Horizon Mirage Edge Gateway prior to 4.4.3

   Horizon View prior to 5.3.2
   Horizon View 5.3 Feature Pack X prior to Feature Pack 3

   Horizon Workspace Server 1.5.x without patch horizon-nginx-rpm-
                                                1.5.0.0-1876270.
                                                x86_64.rpm

   Horizon Workspace Server 1.8.x without patch horizon-nginx-rpm-
                                                1.8.2.1820-1876338.
                                                x86_64.rpm

   Horizon View Clients prior to 3.0

   vCD 5.5.x prior to 5.5.1.2
   vCD 5.1.x prior to 5.1.3.1

   vCenter prior to 5.5u1b
   vCenter prior to 5.1 U2a
   vCenter prior to 5.0U3a

   vCenter Support Assistant prior to 5.5.1.1

   vCloud Automation Center prior to 6.0.1.2

   vCenter Configuration Manager prior to 5.7.2

   vCenter Converter Standalone prior to 5.5.2
   Converter Standalone prior to 5.1.1

   Usage Manager prior to 3.3

   vCenter Operations Manager prior to 5.8.2
   vCenter Operations Manager prior to 5.7.3

   vCenter Chargeback Manager 2.6 prior to 2.6.0.1

   vCloud Networking and Security prior to 5.5.2.1
   vCloud Networking and Security prior to 5.1.4.1

   vSphere PowerCLI 5.x

   vCSA prior to 5.5u1b
   vCSA prior to 5.1u2a
   vCSA prior to 5.0u3a

   OVF Tool prior to 5.3.2

   Update Manager prior to 5.5u1b

   ITBM Standard  prior to 1.1

   VDDK prior to 5.5.2
   VDDK prior to 5.1.3
   VDDK prior to 5.0.4

   NSX for Multi-Hypervisor 4.1.x prior to 4.1.3
   NSX for Multi-Hypervisor 4.0.x prior to 4.0.4
   NVP 3.0.x prior to 3.2.3
   NSX 6.0.x for vSphere prior to 6.0.5

   vFabric Web Server 5.x
   Pivotal Web Server prior to 5.4.1

   vCenter Site Recovery Manager prior to 5.5.1.1
   vCenter Site Recovery Manager  prior to 5.1.2.1
   vCenter Site Recovery Manager  prior to 5.0.3.2

   vSphere Replication prior to 5.8
   vSphere Replication prior to 5.5.1.1

   vSphere SDK for Perl prior to 5.5 Update 2

3. Problem Description

   a. OpenSSL update for multiple products.

      OpenSSL libraries have been updated in multiple products to
      versions 0.9.8za and 1.0.1h in order to resolve multiple security
      issues.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the names CVE-2014-0224, CVE-2014-0198,
      CVE-2010-5298, CVE-2014-3470, CVE-2014-0221 and CVE-2014-0195 to
      these issues. The most important of these issues is
      CVE-2014-0224.

      CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 are considered to
      be of moderate severity. Exploitation is highly unlikely or is
      mitigated due to the application configuration.

      CVE-2014-0221 and CVE-2014-0195, which are listed in the OpenSSL
      Security Advisory (see Reference section below), do not affect
      any VMware products.

      CVE-2014-0224 may lead to a Man-in-the-Middle attack if a server
      is running a vulnerable version of OpenSSL 1.0.1 and clients are
      running a vulnerable version of OpenSSL 0.9.8 or 1.0.1. Updating
      the server will mitigate this issue for both the server and all
      affected clients.

      CVE-2014-0224 may affect products differently depending on
      whether the product is acting as a client or a server and of
      which version of OpenSSL the product is using. For readability
      the affected products have been split into 3 tables below,
      based on the different client-server configurations and
      deployment scenarios.

      MITIGATIONS

      Clients that communicate with a patched or non-vulnerable server
      are not vulnerable to CVE-2014-0224. Applying these patches to
      affected servers will mitigate the affected clients (See Table 1
      below).

      Clients that communicate over untrusted networks such as public
      Wi-Fi and communicate to a server running a vulnerable version of
      OpenSSL 1.0.1. can be mitigated by using a secure network such as
      VPN (see Table 2 below).

      Clients and servers that are deployed on an isolated network are
      less exposed to CVE-2014-0224 (see Table 3 below). The affected
      products are typically deployed to communicate over the
      management network.

      RECOMMENDATIONS

      VMware recommends customers evaluate and deploy patches for
      affected Servers in Table 1 below as these patches become
      available. Patching these servers will remove the ability to
      exploit the vulnerability described in CVE-2014-0224 on both
      clients and servers.

      VMware recommends customers consider
      applying patches to products listed in Table 2 & 3 as required.

      Column 4 of the following tables lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      Table 1
      =======
      Affected servers running a vulnerable version of OpenSSL 1.0.1.

      VMware                          Product  Running  Replace with/
      Product                         Version  on       Apply Patch
      ==============                  =======  =======  =============
      ESXi                            5.5      ESXi     ESXi550-
                                                        201406401-SG

      Big Data Extensions             1.1               2.0.0

      vCenter Chargeback Manager      2.6               2.6.0.1

      Horizon Workspace Server        1.5.x             horizon-nginx-
                                                        rpm-1.5.0.0-
                                                        1876270.
                                                        x86_64.rpm
      Horizon Workspace Server        1.8.x             horizon-nginx-
                                                        rpm-1.8.2.1820-
                                                        1876338.
                                                        x86_64.rpm

      Horizon Mirage Edge Gateway     4.4.x             4.4.3

      Horizon View                    5.x               5.3.2

      Horizon View Feature Pack       5.x               5.3 FP3

      NSX for Multi-Hypervisor        4.1.2             4.1.3
      NSX for Multi-Hypervisor        4.0.3             4.0.4
      NSX for vSphere                 6.0.4             6.0.5
      NVP                             3.2.2             3.2.3

      vCloud Networking and Security  5.5.2             5.5.2.1
      vCloud Networking and Security  5.1.4             5.1.4.1

      Pivotal Web Server              5.4               5.4.1
      vFabric Web Server              5.x               Pivotal Web
                                                        Server 5.4.1

      Table 2
      ========
      Affected clients running a vulnerable version of OpenSSL 0.9.8
      or 1.0.1 and communicating over an untrusted network.

      VMware                          Product  Running  Replace with/
      Product                         Version  on       Apply Patch
      ==============                  =======  =======  =============
      vCSA                            5.5               5.5u1b
      vCSA                            5.1               5.1u2a
      vCSA                            5.0               5.0u3a

      ESXi                            5.1      ESXi     ESXi510-
                                                        201406401-SG
      ESXi                            5.0      ESXi     ESXi500-
                                                        201407401-SG

      Workstation                     10.x     any      10.0.3
      Workstation                     9.x      any      9.0.4
      Fusion                          6.x      OSX      6.0.4
      Fusion                          5.x      OSX      5.0.5
      Player                          6.x      any      6.0.3
      Player                          5.x      any      5.0.4

      vCenter Chargeback Manager      2.5.x             2.6.0.1

      Horizon Workspace Client        1.x      OSX      1.8.2
      Horizon Workspace Client        1.x      Windows  1.8.2

      Horizon View Client             2.x      Android  3.0
      Horizon View Client             2.x      iOS      3.0
      Horizon View Client             2.x      OSX      3.0
      Horizon View Client             2.x      Windows  3.0
      Horizon View Client             2.x      WinStore 3.0

      OVF Tool                        3.5.1             3.5.2
      OVF Tool                        3.0.1             3.5.2

      vCenter Operations Manager      5.8.x             5.8.2
      vCenter Operations Manager      5.7.x             5.7.3

      vCenter Support Assistant       5.5.1             5.5.1.1

      vCD                             5.5.1.x           5.5.1.2
      vCD                             5.1.x             5.1.3.1

      vCenter Site Recovery Manager   5.5.x             5.5.1.1
      vCenter Site Recovery Manager   5.1.x             5.1.2.1
      vCenter Site Recovery Manager   5.0.3.x           5.0.3.2

      vSphere Client                  5.5       Windows 5.5u1b
      vSphere Client                  5.1       Windows 5.1u2a
      vSphere Client                  5.0       Windows 5.0u3a

      Table 3
      =======
      The following table lists all affected clients running a
      vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating
      over a trusted or isolated network.

      VMware                          Product  Running  Replace with/
      Product                         Version  on       Apply Patch
      ==============                  =======  =======  =============
      vCenter Server                  5.5      any      5.5u1b
      vCenter Server                  5.1      any      5.1u2a
      vCenter Server                  5.0      any      5.0u3a

      Update Manager                  5.5      Windows  5.5u1b

      vCenter Configuration
      Manager (VCM)                   5.6               5.7.2


      ITBM Standard                   1.0.1             1.1
      ITBM Standard                   1.0               1.1

      Studio                          2.6.0.0           patch pending

      Usage Meter                     3.3               3.3.1

      vCenter Converter Standalone    5.5               5.5.2
      vCenter Converter Standalone    5.1               5.1.1

      vCloud Automation Center        6.0.x             6.0.1.2

      VIX API                         1.12              patch pending

      vMA (Management Assistant)      5.5.01            patch pending

      vSphere PowerCLI                5.x               See VMware
                                                        KB 2082132

      vSphere Data Protection         5.5.6             patch pending
      vSphere Data Protection         5.1.11            patch pending

      vSphere Replication             5.5.1             5.5.1.1
      vSphere Replication             5.6               5.8

      vSphere SDK for Perl            5.5               5.5 Update 2

      VDDK                            5.5.x             5.5.2
      VDDK                            5.1.x             5.1.3
      VDDK                            5.0.x             5.0.4

   4. Solution

   Big Data Extensions 2.0.0
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-bde

   ESXi 5.5, 5.1 and 5.0
   ----------------------------
   Download:
   https://www.vmware.com/patchmgr/findPatch.portal

   Horizon Mirage Edge Gateway 4.4.3
   ---------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-horizon-mirage

   vCD 5.5.1.2
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download/vcloud-director

   vCenter Server 5.5u1b, 5.1u2a, 5.0u3a
   ------------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   vCSA 5.5u1b, 5.1u2a and 5.0u3a
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   Update Manager 5.5u1b
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   VDDK 5.x
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/support/developer/vddk

   vCenter Configuration Manager (VCM) 5
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download_vcm

   vCenter Operations Manager 5.8 and 5.7.3
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere-ops-mgr

   OVF Tool 3.5.2
   --------------
   Download:
   https://www.vmware.com/support/developer/ovf/

   vCenter Converter Standalone 5.5.2
   -----------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-converter

   Horizon View 5
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/downloadview

   Horizon View 5.3 Feature Pack 3
   -----------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/downloadview

   Horizon Workspace Server 1.5 and 1.8.x
   ----------------------------
   Release Notes and download:
   http://kb.vmware.com/kb/2082181

   Workstation
   ----------------------
   https://www.vmware.com/go/downloadworkstation

   Fusion
   ------------------
   https://www.vmware.com/go/downloadfusion

   VMware Player
   ------------------
   https://www.vmware.com/go/downloadplayer

   vCenter Server 5.1 Update 2a
   ----------------------------------------------------
   Download link:

https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere/5_1

   vCenter Server 5.0 Update 3a
   ----------------------------------------------------
   Download link:

https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere/5_0

   vCloud Networking and Security 5.5.2.1
   ------------------------------------
   Download

https://my.vmware.com/web/vmware/details?downloadGroup=VCNS552_GA&productId
=353&rPId=5255

   vCloud Networking and Security 5.1.4.1
   ------------------------------------
   Download:

https://my.vmware.com/web/vmware/details?downloadGroup=VCNS514_GA&productId
=285&rPId=5131

   NSX for Multi-Hypervisor, NSX for vSphere and NVP
   -------------------------------------------------
   Remediation Instructions and Download, available under support:
   http://www.vmware.com/products/nsx

   vCD 5.5.1.2 and vCD 5.1.3.1
   ---------------------------
   Download link:
   https://www.vmware.com/go/download-vcd-ns

   VMware vCenter Chargeback Manager
   ---------------------------------
   Download link:
   https://www.vmware.com/go/download-chargeback

   Converter Standalone 5.1.1
   ---------------------------
   Download link:
   https://www.vmware.com/go/download-converter

   Usage Manager 3.3
   -----------------
   Downloads and Documentation:
   https://communities.vmware.com/community/vmtn/vcd/vcloud_usage_meter

   vCenter Support Assistant
   --------------------------
   Downloads:
   https://www.vmware.com/go/download-vsphere

   Pivotal Web Server 5.4.1
   ------------------------

https://my.vmware.com/web/vmware/details?downloadGroup=VF_530_PVTL_WSVR_541
&productId=335&rPId=6214

   vCloud Automation Center
   --------------------------
   Downloads:
   https://www.vmware.com/go/download-vcac

   vCenter Site Recovery Manager 5.5.1.1
   -------------------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2081861

   vCenter Site Recovery Manager 5.1.2.1
   -------------------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2081860

   vCenter Site Recovery Manager 5.0.3.2
   -------------------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2081859

   vSphere Replication 5.8
   -----------------------
   Download:

https://my.vmware.com/web/vmware/details?downloadGroup=SDKPERL552&productId
=353

   vSphere Replication 5.5.1.1
   ---------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2082666

   ITBM Standard 1.1
   -----------------
   Download:

https://my.vmware.com/web/vmware/details?downloadGroup=ITBM-STD-110&product
Id=384&rPId=6384

   Release Notes:

https://www.vmware.com/support/itbms/doc/itbm-standard-edition-11-release-n
otes.html

   vSphere SDK for Perl  5.5 Update 2
   ----------------------------------
   Download:

https://my.vmware.com/web/vmware/details?downloadGroup=VR580&productId=451&
rPId=6436

   Release Notes:

https://www.vmware.com/support/vsphere-replication/doc/vsphere-replication-
58-release-notes.html

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470

   https://www.openssl.org/news/secadv_20140605.txt
   http://www.gopivotal.com/security/cve-2014-0224

   VMware Knowledge Base Article 2082132
   http://kb.vmware.com/kb/2082132

- -----------------------------------------------------------------------

6. Change Log

   2014-06-10 VMSA-2014-0006
   Initial security advisory in conjunction with the release of
   ESXi 5.5 updates on 2014-06-10

   2014-06-12 VMSA-2014-0006.1
   Updated security advisory in conjunction with the release of
   Big Data Extensions 2.0.0, Horizon Mirage Edge Gateway 4.4.3,
   vCD 5.5.1.2, vCenter Server 5.5u1b, vCSA 5.5u1b, and Update
   Manager 5.5u1b on 2014-06-12

   2014-06-17 VMSA-2014-0006.2
   Updated security advisory in conjunction with the release of
   ESXi 5.1 updates, VDDK 5.5.2, 5.1.3, and 5.0.4 on 2014-06-17

   2014-06-24 VMSA-2014-0006.3
   Updated security advisory in conjunction with the release of
   Horizon View 5.3.2, Horizon View 5.3 Feature Pack 3,
   vCenter Configuration Manager 5.7.2, vCenter
   Converter Standalone 5.5.2, vCenter Operations
   Manager 5.8.2, OVF Tool 5.3.2 on 2014-06-24

   2014-07-01 VMSA-2014-0006.4
   Updated security advisory in conjunction with the release of
   ESX 5.0 patches, Workstation 10.0.3, Player 6.0.3, Fusion 6.0.4,
   Horizon Workspace Server 1.5.x and 1.8.x updates, vCD
   5.1.3.1, vCenter Server 5.1 update 2a and 5.0 update 3a,
   vCSA 5.1 update 2a and 5.0 update 3a, Converter Standalone 5.1.1,
   vCenter Chargeback Manager 2.6.0.1,
   vCloud Networking and Security 5.5.2.1 and 5.1.4.1,
   NSX for Multi-Hypervisor 4.1.3,
   NSX for Multi-Hypervisor 4.0.4, NVP 3.2.3 and
   NSX 6.0.5 for vSphere on 2014-07-01

   2014-07-03 VMSA-2014-0006.5
   Updated security advisory in conjunction with the release of
   Workstation 9.0.4, Player 5.0.4, Fusion 5.0.5, vCenter Support
   Assistant 5.5.1.1, on 2014-07-03

   2014-07-08 VMSA-2014-0006.6
   Updated security advisory in conjunction with the release of
   vSphere PowerCLI 5.x on 2014-07-04 and Pivotal Web Server 5.4.1
   on 2014-07-08

   2014-07-10 VMSA-2014-0006.7
   Updated security advisory in conjunction with the release of
   vCloud Automation Center 6.0.1.2 and vCenter Operations Manager
   5.7.3 on 2014-07-10

   2014-07-18 VMSA-2014-0006.8
   Updated security advisory in conjunction with the release of
   patches for vCenter Site Recovery Manager 5.5.1.1 and
   vSphere Replication 5.5.1.1 on 2014-07-17

   2014-07-22 VMSA-2014-0006.9
   Updated security advisory in conjunction with the release of
   patches for vCenter Site Recovery Manager 5.1.2.1 and 5.0.3.2
   on 2014-07-22

   2014-09-09 VMSA-2014-0006.10
   Updated security advisory in conjunction with the release of
   patches for ITBM Standard 1.1, vSphere Replication 5.8 and
   vSphere SDK for Perl 5.5 Update 2 on 2014-09-09. vFabric
   Application Director has been removed from the table above since
   it is not affected by this issue.

- -----------------------------------------------------------------------


7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2014 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFUD16eDEcm8Vbi9kMRAgBdAJsG4mzXIKqUyD2j5rTkDDQvG9giYwCfTmv4
S8n3FBEzi2wj9s5V00WS7/4=
=2ZcF
-----END PGP SIGNATURE-----