Hi
Currently we have 3 type of HP Machine, below is details
1. HP 3015 DN
2. HP 5200 DTN
3.HP M712
Now we dealt issue related with Open SSL
Check detail below :
OpenSSL Multiple Remote Security Vulnerabilities port 443/tcp over SSL
THREAT:
The OpenSSL Project is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a general purpose cryptography library. OpenSSL contains the following vulnerabilities:
CVE-2014-0224: An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.
CVE-2014-0221: By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. Only applications using OpenSSL as a DTLS client are affected.
CVE-2014-0195: A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. Only applications using OpenSSL as a DTLS client or server affected.
CVE-2014-3470: OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack.
Affected Versions: OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h.
The QID detection relies on the change in openssl behavior.
1. The scanner starts a SSL (TLSv1 session) by sending a ClientHello message to the server
2. The scanner waits for the server to respond with its Serverhello,KeyExchange and ServerDone message.
3. Then the scanner sends a ChangeCipherSpec message. This message is out-of-order.
4. The openssl version that has the fix will reject this message with an alert "Unexpected message". The vulnerable version will attempt to proceed with the incomplete session. It will fail because of the missing shared key and return an alert "Decryption failed". This value is shown in the QID results.
IMPACT:
Depending on the vulnerability being exploited, an unauthenticated, remote attacker could conduct man-in-the-middle attacks, run arbitrary code or cause a denial of service condition on the targeted system.
SOLUTION:
Customers are advised to install OpenSSL versions 0.9.8za, 1.0.0m, 1.0.1h or later to remediate this vulnerability.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
OpenSSL Security Advisory [05 Jun 2014]: .*
Latest firmware of HP 3015 could solved this issue, with addition SSL 3.0 options in Mgmt Protocol Tabs
I'm looking forward HP soon relase new firmware for HP 5200 and HP M712 or perhaps anybody having same problem like me.