Opto 22

43044 Business Park Drive, Temecula, CA 92590 USA
Local & outside the USA:(951) 695-3000
Toll-Free within the USA:(800) 321-6786
Fax: (951) 695-3095
Email: sales@opto22.com
 
KB83762
groov Admin affected by OpenSSL Heartbleed bug
Revision:  1.0
Published:  4/9/2014
Applies To
GROOV-AT1
GROOV-AT1-SNAP
GROOV-SVR-WIN
GROOV-SVR-WIN-SNAP
Versions
Versions affected:  
All versions of groov Admin through 1.570.33
Problem is fixed in version:  
1.570.34

DESCRIPTION

A remote user can exploit the OpenSSL Heartbleed bug to read a region of memory. This could provide unauthorized remote access to private information on groov Box. Groov Server for Windows is also vulnerable indirectly. See the steps below for your groov Box or groov Server for Windows.

groov Box (GROOV-AT1, GROOV-AT1-SNAP)

Risk: This vulnerability exists in groov Admin. The private SSL encryption key used by both groov Admin and groov App could be stolen from groov Admin allowing communication to both groov Admin and groov App to be decrypted and expose login information.

What do you need to do?
Opto 22 has provided a groov Admin update that eliminates the vulnerability. Follow these steps to install the update, and change the SSL certificate and passwords:

  1. Go to manage.groov.com and obtain groov Admin update file 1.570.34.
    Under Details for your groov Box, click Show and download the groov Admin version 1.570.34 update file.
  2. Install the update file:
    a. In Admin, expand the System group on the left side, and then click groov Admin Configuration.
    b. Click Upgrade groov Admin.
    c. Click Choose File to locate the groov Admin software update file on your computer.
    d. Highlight the file, and click Open.
    e. Click Upgrade.
  3. Obtain a new private SSL certificate.
    - If you have a self-signed certificate, create a new certificate using groov Admin.
    - If you have a certificate signed by a certificate authority, have your certificate authority revoke the old certificate and issue a new one.
    For more information, see form 2077, the groov Box User's Guide for GROOV-AT1.
  4. Install the new certificate using groov Admin.
  5. Change the groov Admin administrative password.
  6. Change the groov App user passwords.
    For more information, see form 2027, the groov User's Guide.

groov Server for Windows (GROOV-SVR-WIN, GROOV-SVR-WIN-SNAP)

Risk: Groov Server does not contain this vulnerability. However, if groov Server is configured to use an SSL encryption key that is shared with a vulnerable service on the same host, the encryption key could be stolen through the vulnerable service. This could allow communication to groov Server to be decrypted and expose login information.

What do you need to do?
Follow these steps:

  1. Upgrade the vulnerable service to eliminate the vulnerability.
  2. Go to manage.groov.com and download the latest version of groov Server.
    We recommend customers always run the latest version of groov Server.
  3. Install the groov Server update file.
    For more information, see form 2078, the groov Server for Windows User's Guide.
  4. Contact your certificate authority to obtain a new SSL certificate and revoke your old one.
  5. Install the new SSL Certificate for groov Server using the groov SSL Certificate utility.
    For more information, see form 2078, the groov Server for Windows User's Guide.
  6. Change groov App user passwords.
    For more information, see form 2027, the groov User's Guide.

FOR MORE INFORMATION

See the following website: www.openssl.org/news/secadv_20140407.txt

WORKAROUND

There is no workaround. Upgrade to groov Admin 1.570.34.

RESOLUTION

Opto 22 has resolved this issue.

Relevant Downloads
No relevant downloads have been specified.
Questions? Contact Opto 22 Product Support.
Phone: 800-835-6786 or 951-695-3080
Email: support@opto22.com

DISCLAIMER

This Opto 22 Knowledge Base ('OptoKB') article is intended to provide general technical information on a particular subject or subjects and is not an exhaustive treatment of such subjects. Accordingly, the information in this OptoKB article is not intended to constitute application, design, software, or other professional engineering advice or services. Opto 22 may modify the OptoKB articles at any time. Before making any decision or taking any action which might affect your equipment, you should consult a qualified professional.

OPTO 22 DOES NOT WARRANT THE COMPLETENESS, TIMELINESS, OR ACCURACY OF THE DATA CONTAINED IN THIS OPTOKB ARTICLE AND MAY MAKE CHANGES THERETO AT ANY TIME AT ITS SOLE DISCRETION WITHOUT NOTICE. FURTHER, ALL INFORMATION CONVEYED HEREBY IS PROVIDED TO USERS 'AS IS.' IN NO EVENT SHALL OPTO 22 BE LIABLE FOR ANY DAMAGES OF ANY KIND INCLUDING DIRECT, INDIRECT INCIDENTAL, CONSEQUENTIAL, LOSS PROFIT, OR DAMAGE, EVEN IF OPTO 22 HAS BEEN ADVISED ON THE POSSIBILITY OF SUCH DAMAGES.

OPTO 22 DISCLAIMS ALL WARRANTIES WHETHER EXPRESSED OR IMPLIED WITH RESPECT TO THE INFORMATION (INCLUDING HARDWARE, SOFTWARE, AND/OR FIRMWARE) PROVIDED HEREBY, INCLUDING THE IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTIBILITY, AND NON-INFRINGEMENT. Note that certain jurisdictions do not sanction the exclusion of implied warranties: thus, this disclaimer may not apply to you.

Copyright © 2017 Opto 22. All rights reserved.

My.Opto22

All Opto22

Request Information
  • FREE Product Brochure
  • Product Demonstration
  • PreSales Engineering Assistance

Opto 22 Product Support

Opto 22 Product Support is FREE Monday through Friday 7 a.m. to 5 p.m. Pacific Time

Product Support Numbers:

Local: (951) 695-3080
Toll-Free: (800) 835-6786
Fax: (951) 695-3017
support@opto22.com

Products

None

Downloads

None

Documents

None