Quick Contact

Thursday, 10 April 2014

NoMachine OpenSSL security vulnerability

An information disclosure flaw was found in the way OpenSSL handled TLS and DTLS Heartbeat Extension packets.

An attacker could use this flaw to obtain up to 64k of memory contents from the client or server, which could potentially lead to the disclosure of private keys and other sensitive information. (CVE-2014-0160)

OpenSSL is used in NoMachine software to power TLS and encryption in a number of subsystems. NoMachine has already commenced building and testing its own software with the updated OpenSSL libraries. The new packages will be released as soon as possible with instructions on how to regenerate the possibly compromised keys. Until then, NoMachine advises its users to put all machines containing sensitive information off-line.

The NoMachine Security Team

The NoMachine advisory is here: https://www.nomachine.com/SU04L00103