Redcentric Heartbleed Announcement
23 April 2014
Further to our previous statement regarding the actions being taken to protect against this vulnerability, we can now confirm that all systems have been thoroughly investigated and confirmed as not being at risk.
All customers who were at risk running FortiOS versions 5.0.0 to 5.0.6 have been successfully upgraded to version 5.0.7.
We will continue to monitor the situation going forward and advise you of any material developments should they occur.
We would like to take the opportunity to remind you to conduct your own investigations on systems that you are responsible for, if you have not already done so.
Further information regarding the bug can be found at: http://heartbleed.com
On 7th April, a group of security researchers discovered and publicly disclosed a vulnerability in OpenSSL (versions 1.0.1 through 1.0.1f), a software package that is widely used to secure online communications; they called the bug Heartbleed.
This vulnerability may allow an attacker to access sensitive information from memory by sending specially-crafted TLS heartbeat requests.
Redcentric PLC take such threats seriously and therefore, since the disclosure, have been performing a series of system checks and audits to ensure that our systems and services are not at risk.
To date, the only exposure identified is for those customers running FortiOS where the vulnerability exists on version 5.0.0 to 5.0.6; a software update for FortiOS 5 is available for download on the support site. This vulnerability is fixed in FortiOS version 5.0.7.
Please note that FortiOS 4.3 (4.0MR3) and lower are not affected by this vulnerability.
Affected customers will have been contacted to schedule appropriate downtime for the managed upgrade.
Ongoing checks will be taking place over the next couple of days and our Information Security Manager is collating the results.
A further communiqué will be issued once all investigations have been completed.
If your organisation has the responsibility for Linux based Operating Systems, we strongly recommend that you conduct your own investigations if you have not already done so.
Further information regarding the bug can be found at: http://heartbleed.com.