This article includes details regarding Ephesoft and the Heartbleed vulnerability inherent in OpenSSL 1.0.1.
In certain releases of OpenSSL, there is vulnerability that could allow unknown parties to gain information from a server remotely that can include passwords, usernames, and other personal/customer information.
According to the defect information here, Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.
Bug is in the OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
Status of different versions:
· OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
· OpenSSL 1.0.1g is NOT vulnerable
· OpenSSL 1.0.0 branch is NOT vulnerable
· OpenSSL 0.9.8 branch is NOT vulnerable
Impact on Ephesoft Application:
Since Ephesoft is using OpenSSL 0.9.8r version, the Tomcat and Apache Web Server servicesincluded are not affected.
We have identified a sub-component in the LDAP server installed along with Ephesoft.
This vulnerability is only with OpenLDAP 2.4 which has compatibility with OpenSSL 1.0.1d which is a compromised version of OpenSSL.
We are still looking into the issue and will provide a permanent solution so this functionality can be used in the future and address this vulnerability.
Update – 9/3/2014
We have provided a workaround for disabling the SSL port for LDAP (Port 636).
Here are the workaround instructions:
1. Go to the Services.msc console window
2. Double Click on the Ephesoft OpenLDAP Directory Service in order to open the Service Properties.
3 Take note of the location of the slapd.exe file and confirm that OpenLDAP 2.4 is being used.
4. **Very Important** – Stop the Ephesoft Service and the LDAP Service
5. Navigate to the OpenLDAP directory located in the Ephesoft\Dependencies\OpenLDAP2.4
6. Rename the directory named “secure” to “secure–”
7. Under the same directory, Run the ldap.bat as Administrator
8. This will reinstall the OpenLDAP service and restart it.
9 Test to see if the ldaps port 636 is active or listening by using the following command netstat -anb | find “636”
10. You should not see any results, you can confirm that the normal LDAP port 389 is running netstat -anb | find “389”
The Ephesoft Engineering Team has provided a Fix for the OpenLDAP 2.4/Heartbleed vulnerability issue.
Please see their instructions below:
We have analysed the Heartblled leak in OpenLDAP 2.4.
Currently Ephesoft is using OpenLDAP 2.4.38 which is vulnerable to Heartbleed problem.
In the latest version of OpenLDAP 2.4.39 Heartbleed problems have been resolved.
Please Download ‘OpenLDAP-DLL.zip’ containing the replacement for vulnerable DLLs ‘libeay32.dll’ and ‘ssleay32.dll’.
These DLLs have been copied from the latest version of LDAP and are not vulnerable to Heartbleed.
We have successfully tested Ephesoft application after replacing the DLLs and it is working as per expectations.
Please follow the below defined steps to replace the attached DLLs:
- Stop the Ephesoft server if it is currently running.
- Stop the Ephesoft OpenLDAP service by using service.msc user interface or by running the below command in command line:-
SC stop OpenLDAP-slapd
- Take the back up and delete ‘libeay32.dll’ and ‘ssleay32.dll’, located at ‘<EphesoftInstallationDirectory>\Dependencies\OpenLDAP2.4\’.
- Extract the attached ‘OpenLDAP-DLL’ to get ‘libeay32.dll’ and ‘ssleay32.dll’.
- Copy the extracted DLLs at ‘<EphesoftInstallationDirectory>\Dependencies\OpenLDAP2.4\’.
- Restart the Ephesoft OpenLDAP service by using service.msc user interface or by running the below command in command line:-
SC start OpenLDAP-slapd
- Restart the Ephesoft server.
As you can see this DLL file uses OpenSSL 1.0.1g, which is a secure version of OpenSSL. (Please see the following link: https://www.openssl.org/news/secadv_20140407.txt )