Two SSL vulnerabilites that can be exploited to create denial-of-service affect certain BoKS binaries
Two SSL vulnerabilities have been discovered in OpenSSL 1.0.1-1.0.1e.
The effect of both vulnerabilities is that they can cause the application to crash and thus open up for a Denial-Of-Service attack, but not to gain access to the system. Below follows a list of affected BoKS applications and an indication of whether the application runs on BoKS Master, Replica and/or Client.
SSL server applications
$BOKS_lib/httpsrv (M) - Old BoKS GUI
$BOKS_lib/boks_bccas (M) - Administration server
$BOKS_lib/boks_autoregisterd (M) - Client auto-registration service
$BOKS_lib/boks_pwmd (M) - Optional extension package
$BOKS_lib/boks_csspd (M/R) - BoKS Desktop authentication
$BOKS_lib/boks_sslproxy (M/R/C) - BoKS Desktop telnet proxy
SSL client applications
$BOKS_sbin/adgroup (M) - AD Bridge administration
$BOKS_lib/ldapsearch (M) - adsync, ldapusersync
$BOKS_lib/ldapmodify (M) - currently not used
$BOKS_lib/crldownload_ldap (M) - CRL download
$BOKS_lib/curl (M) - CRL download
$BOKS_lib/ems/modules/emsldap (M) - Event system LDAP connector
$BOKS_lib/auth/modules/hpsaauth (M/R) - BoKS Desktop external auth
$BOKS_lib/auth/modules/ldapauth (M/R) - BoKS Desktop external auth
$BOKS_sbin/adjoin (M/R/C) - AD membership administration
$BOKS_lib/boks_safeword (M/R/C) - BoKS safeword auth
$BOKS_lib/ldapauth (M/R/C) - BoKS LDAP auth
$BOKS_lib/boks_autoregister (M/R/C) - Client auto-registration
Resolution / Workaround
The above vulnerabilities have been fixed in hotfix HFBM-0039-1, but Fox Technologies recommends installing the superseding
hotfix HFBM-0043-1 which also addresses another OpenSSL vulnerability, CVE-2014-0160 (aka Heartbleed).
Install the hotfix HFBM-0043-1, available from the HelpSystems Community Portal.
The hotfix includes replacement binaries built with OpenSSL 1.0.1g where the vulnerabilites have been fixed.
Some of the binaries are dynamically linked against OpenSSL and in these cases it is actually the OpenSSL shared library that is replaced instead of the application binary.
Still have questions? We can help. Submit a case to Technical Support.