Heartbleed Bug

The vulnerability in Open SSL, known as the Heartbleed bug, makes some Spectracom products susceptible. A software patch fixes the bug. Alternatively network access controls, shutting down the management port, and changing user passwords are mitigating actions.
April 17, 2014
Affected Products: 
SecureSync

In early April 2014, a vulnerability was revealed in encryption software used in some Spectracom products. This flaw, known as Heartbleed, is a security bug in the open-source OpenSSL cryptography library. It is registered in the Common Vulnerabilities and Exposure system as CVE-2014-0160 and there is now a fix for it.

Affected products: SecureSync and NetClock 9400, version 4.8.8 or greater and below 5.1.4.

Recommendation: Update to 5.1.4

The susceptible products use OpenSSL for HTTPS and SSH management connections, so this bug does not affect NTP or PTP timing functions. If you have security concerns, you can log in to the unit and set-up network access controls to limit management access to only specific known addresses or subnets, or take the following measures until you have the corrected software. In either case you will still be able to continue network time server operations.

Shut down your management port, or Remove your management port from the public Internet connection, or If you believe your passwords may have been compromised, first take the unit off the public Internet, then: Change your passwords and use a very strong new password Power off unit Put the unit back ON the public Internet if necessary, Power it up. Never login to the unit unless it is on a private network. Your credentials won’t be in any memory to be accessed by the vulnerability. Your password is very strong so it can’t be guessed easily. Whatever is in memory is useless those looking to exploit the vulnerability.