Heartbleed Vulnerability: Password Manager Pro Security Advisory

Heartbleed Vulnerability: Password Manager Pro Security Advisory

Heartbleed vulnerability, the serious flaw in OpenSSL's TLS implementation is perhaps the biggest vulnerability in internet history and has sent panic waves. Naturally, you would be very much concerned and we are sure you would want to hear from us on its impact on Password Manager Pro. 

If you are wondering what this Heartbleed bug is all about, this is for you:  It's a bug in OpenSSL's TLS implementation, a software library used to secure the transmission of private information. It is actually a memory leak exploit that can potentially lead to expose of server keys and could help hackers reach the private computer memory handled by OpenSSL, paving way to the theft of private information. It is indeed a very serious vulnerability. 

The good news: PMP is NOT vulnerable to Heartbleed 

PMP is not vulnerable to Heartbleed bug due to the following reasons:

  • PMP does not make use of OpenSSL libraries. Only the SSL certificate shipped with PMP has been generated using OpenSSL version 0.9.8 branch. The bug only affects TLS connections that enable Heartbeats, not other parts of OpenSSL like key generation, certificate signing, generating digests, random bytes generation, etc. 

  • The underlying modules of PMP use Tomcat web server where BIO and NIO connectors are used.  These connectors use the JSSE SSL whereas the APR/native connector uses OpenSSL.  None of the underlying PMP modules use the APR/native connector. 

Bottom line, you need not worry about the security of your data kept in Password Manager Pro. 

If you have configured your own SSL certificate 

Since generating keys and signing certificates using OpenSSL does not make it vulnerable to Heartbleed, even if you have configured your own trusted SSL certificate for Password Manager Pro using OpenSSL, you need not worry.  However, as a precautionary measure, you may regenerate a CSR with OpenSSL version 1.0.1g and get a new certificate signed and generated from your CA and configure it with Password Manager Pro. Steps to do this are available in our FAQ section

Please note that we are suggesting this precautionary measure more like changing passwords when a security incident occurs somewhere. Since it is not possible for PMP to know where and how these keys are being used and with what libraries, we suggest regenerating the certificate.

General Information

How to diagnose if your systems are vulnerable?

In case, you want to diagnose if your systems are vulnerable to Heartbleed bug, you may refer to this external post.

Fixing essentially involves the following steps

In case, you find any of your systems vulnerable to Heartbleed bug, following are the typical steps involved in fixing:

  1. Patch vulnerable systems with OpenSSL 1.0.1g 
  2. Regenerate new private keys. 
  3. Submit new CSR to your CA        
  4. Obtain and install new signed certificate         
  5. Revoke old certificates

Other scenarios to take care

  • In addition, we strongly advise you to review all PKI key pairs, especially those stored in PMP. If the keys are used anywhere in Heartbleed bug vulnerable applications, you need to regenerate them. 
  • If you are using smart card authentication in PMP (as part of Two Factor Authentication) AND your end point is vulnerable to Heartbleed bug, you need to get the client certificates reissued. 
  • If you are using Application-to-Application password management making use of PMP APIs AND your end point is vulnerable to Heartbleed bug, you need to get the client certificates reissued. 
  • Also, check all the machines in which PMP agents have been deployed for Heartbleed bug. If found vulnerable, versions of OpenSSL libraries had been used anywhere, make sure that are all patched with the 1.0.1g version of OpenSSL. 
  • As a best practice approach, ensure that all servers/machines hosting PMP server, PMP server's database, agents are all patched with the 1.0.1g version of OpenSSL.

Next Steps 

Though PMP with its default SSL certificate is not vulnerable, as a best practice approach, we are planning to patch the certificate with the latest and protected version of OpenSSL(OpenSSL 1.0.1g) and release a new build (PMP version 7002) soon. You may watch our forum for updates on this.  

We reassure you that you are quite safe with PMP and need not worry about Heartbleed bug. Do write to PMP support, if you need any assistance / clarifications. 

Thanks,
Bala
ManageEngine Password Manager Pro

 
        New to M365 Manager Plus?
        New to M365 Manager Plus?
          New to RecoveryManager Plus?
          New to RecoveryManager Plus?
            New to Exchange Reporter Plus?
            New to Exchange Reporter Plus?
              New to SharePoint Manager Plus?
              New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial





                            Related Products