66730: Acronis DeviceLock DLP: OpenSSL critical vulnerability CVE-2014-0160: TLS heartbeat read overrun

use Google Translate

Applies to: 

Last update: 20-01-2021

Description

A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Learn more at https://www.openssl.org/news/secadv_20140407.txt

Applies to

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.

Questions

1. Does DeviceLock utilize OpenSSL?

2. If true, can this be a threat?

Answers

1. Yes, it does.

2. No, it cannot: older versions of DeviceLock utilize a non vulnerable older version of OpenSSL, while current versions of DeviceLock (7.3.x) utilize OpenSSL 1.0.1e with TLS heartbeat extension specifically deactivated.

Also DeviceLock builds with version number higher than 7.3.55818 utilize OpenSSL 1.0.1g.