Description
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Learn more at https://www.openssl.org/news/secadv_20140407.txt
Applies to
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.
Questions
1. Does DeviceLock utilize OpenSSL?
2. If true, can this be a threat?
Answers
1. Yes, it does.
2. No, it cannot: older versions of DeviceLock utilize a non vulnerable older version of OpenSSL, while current versions of DeviceLock (7.3.x) utilize OpenSSL 1.0.1e with TLS heartbeat extension specifically deactivated.
Also DeviceLock builds with version number higher than 7.3.55818 utilize OpenSSL 1.0.1g.