Are the Connect ME and Connect ME 4 with plug-and-play firmware affected by heartbleed. I have read http://www.digi.com/support/kbase/kbaseresultdetl?id=3564, but am unsure of where these devices fit in.
PRODUCT NOTICE #4-20-14-1
DATE:
4/20/2014
PRODUCT:
Digi ARM Embedded Software Platforms (Various)
REASON:
OpenSLL “Heartbleed” Vulnerability (CVE-2014-0160) Advisory
PRODUCTS AFFECTED:
Digi Application Development Kit for Android
Windows Embedded Compact 6/7
Digi Embedded Linux Digi Embedded Yocto NET+OS
NOTICE:
This product notice provides general advice to customers regarding the recently discovered “Heartbleed” vulnerability affecting OpenSSL versions 1.0.1 through 1.0.1f only. Other OpenSSL versions are not affected.
The table below summarizes the specific Digi embedded software development platform versions and their known exposure to the “Heartbleed” vulnerability as well as applicable mitigation options. Versions that are not listed below are not considered affected. Platform Status Affected Version Mitigation/Comments NET+OS
Not Affected
N/A
NET+OS implements OpenSSL v0.9.8g/plus #1276: TLS Extensions/RFC 3546 Patch (or earlier). Digi Embedded Linux
Affected
5.9
Hotfix available through Digi Package Manager. Digi Embeded Yocto
Affected
1.4
See Digi Technical Support Knowledgebase Article #3566
http://www.digi.com/support/kbase/kbaseresultdetl?id=3566 Windows Embedded Compact 6/7
Not Affected
N/A
SSL/TLS implementations of Windows Embedded Compact are not based on OpenSSL. Digi ADK for Android
Not Affected
N/A
All Android platform releases with the exception of 4.1.1 (JB) are not affected.
See official Google Online Security post below for reference: http://googleonlinesecurity.blogspot.in/2014/04/google-services-updated-to-address.html
Please refer to the official Digi “Heartbleed” Security Notice posted at http://www.digi.com/lp/security/ for additional information, including resources to test existing devices and their software for possible exposure.
As a security best practices guideline, Digi still strongly advises all customers to test software builds for exposure to the “Heartbleed” vulnerability and take the appropriate mitigation steps as quickly as possible.
I’m not sure what OS or SSL implementation the Connect ME or Connect ME 4 with plug-and-play firmware uses. Does it implement a version of OpenSSL from v1.0.1 through v1.0.1f?
The operating system for Plug-and-play is called NDS, I’m not sure which version of OpenSSL is implemented on the NDS but if is not listed on this notice, then it should not be affected.
Here is the official statement. There is also a link on the bottom of the page that will have a link to tools for testing if you are concerned.
http://www.digi.com/support/kbase/kbaseresultdetl?id=3564
Connect ME4 running Plug and Play is not affected.