How to patch FREAK Vulnerability – This Exposes SSL/TLS Security Hole in Any HP System Server Box


The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the “FREAK” issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.

The vulnerability has been dubbed ‘FREAK’ for Factoring RSA Export Keys. It was discovered by a group of researchers from Microsoft Research and the French Institute for Research in Computer Science and Automation, who found it was possible to make web browsers use encryption intentionally weakened in order to comply with U.S. government regulations in effect during the 1990s that banned American companies from exporting strong encryption abroad.

“Support for these weak algorithms has remained in many implementations such as OpenSSL, even though they are typically disabled by default; however, we discovered that several implementations incorrectly allow the message sequence of export ciphersuites to be used even if a non-export ciphersuite was negotiated,” the researchers wrote. “Thus, if a server is willing to negotiate an export ciphersuite, a man-in-the-middle may trick a browser (which normally doesn’t allow it) to use a weak export key. By design, export RSA moduli must be less than 512 bits long; hence, they can be factored in less than 12 hours for $50 on Amazon EC2.”


Step 1: Download the latest release patch from HP (HP System Management Homepage  from here



Step 2: Open your HP SMH in browser to check the  what is the version

Type: https://localhost:2381


and in below footnote you will notice the version of your HP SMH now record this to verify later on after the installation

HP System Management Homepage v7.3.2.1


Step 3: Open the package that was download earlier “cp027895.exe” by double clicking it.



Then follow the wizard for installation patch.



Step 4: Type the local administrator group in the Group Name box.

Group Name: “Administrators” then click Add




Step 5: Select the radio buttons if for User Access this

  • If you select “Anonymous Access” this means that anyware in your network you can type the IP address of the server


This is to manage the remote HP SMH agent.

  • If you select “Local Access” this means that only the server running this HP SMH can open the agent and if someone tries to access they can not open it.

 example: https://localhost:2381/


Select “Trust All”


Leave this empty unless there is a need to do IP Binding


If you want to restrict IP addresses for login enable this option





Step 5:  After installation is finish you can open again the web browser and do the same process in step 2 or if you encountering error or empty display in the browser you can verify by doing this below instruction.

 Go to your drive “C:\hp\hpsmh\bin” then right click the “hpsmhd.exe” and go to “Details” tab and you will see the latest version in it.



That’s it you are now protected and using the latest patch for this version.


Be the first to comment on "How to patch FREAK Vulnerability – This Exposes SSL/TLS Security Hole in Any HP System Server Box"

Leave a comment

Your email address will not be published.