How to patch FREAK Vulnerability – This Exposes SSL/TLS Security Hole in Any HP System Server Box

Overview:

The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the “FREAK” issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.

The vulnerability has been dubbed ‘FREAK’ for Factoring RSA Export Keys. It was discovered by a group of researchers from Microsoft Research and the French Institute for Research in Computer Science and Automation, who found it was possible to make web browsers use encryption intentionally weakened in order to comply with U.S. government regulations in effect during the 1990s that banned American companies from exporting strong encryption abroad.

“Support for these weak algorithms has remained in many implementations such as OpenSSL, even though they are typically disabled by default; however, we discovered that several implementations incorrectly allow the message sequence of export ciphersuites to be used even if a non-export ciphersuite was negotiated,” the researchers wrote. “Thus, if a server is willing to negotiate an export ciphersuite, a man-in-the-middle may trick a browser (which normally doesn’t allow it) to use a weak export key. By design, export RSA moduli must be less than 512 bits long; hence, they can be factored in less than 12 hours for $50 on Amazon EC2.”

 

Step 1: Download the latest release patch from HP (HP System Management Homepage 7.5.3.1)  from here

patch1

 

Step 2: Open your HP SMH in browser to check the  what is the version

Type: https://localhost:2381

patch2a

and in below footnote you will notice the version of your HP SMH now record this to verify later on after the installation

HP System Management Homepage v7.3.2.1

patch3

Step 3: Open the package that was download earlier “cp027895.exe” by double clicking it.

patch4

 

Then follow the wizard for installation patch.

patch5

patch6

Step 4: Type the local administrator group in the Group Name box.

Group Name: “Administrators” then click Add

patch7

patch7a

 

Step 5: Select the radio buttons if for User Access this

  • If you select “Anonymous Access” this means that anyware in your network you can type the IP address of the server

 example: https://192.168.100.48:2381/

This is to manage the remote HP SMH agent.

  • If you select “Local Access” this means that only the server running this HP SMH can open the agent and if someone tries to access they can not open it.

 example: https://localhost:2381/

patch8

Select “Trust All”

patch9

Leave this empty unless there is a need to do IP Binding

patch10

If you want to restrict IP addresses for login enable this option

patch11

patch12

patch13

patch14

Step 5:  After installation is finish you can open again the web browser and do the same process in step 2 or if you encountering error or empty display in the browser you can verify by doing this below instruction.

 Go to your drive “C:\hp\hpsmh\bin” then right click the “hpsmhd.exe” and go to “Details” tab and you will see the latest version in it.

patch15

 

That’s it you are now protected and using the latest patch for this version.

 

Be the first to comment on "How to patch FREAK Vulnerability – This Exposes SSL/TLS Security Hole in Any HP System Server Box"

Leave a comment

Your email address will not be published.