Addressing OpenSSL CVE-2014-0160 Heartbleed Issue Affecting Intel® Setup and Configuration Software (Intel® SCS) Version 9.1.0.123 Remote Configuration Service (RCS)

Documentation

Troubleshooting

000020920

07/27/2017

What am I seeing?
The OpenSSL CVE-2014-0160 Heartbleed issue affects the Intel® Setup and Configuration Software (Intel® SCS) version 9.1 (version 9.1.0.123). Intel® SCS 9.0 and earlier versions are not affected.

What's the current solution?
Intel® SCS 9.1.1.125 (b) includes updates to the OpenSSL CVE-2014-0160 issue by updating the OpenSSL DLL to version 1.0.1.g, which is not affected.

What functionality of Intel® SCS 9.1.0.123 is affected?
The Intel SCS Remote Configuration Service (RCS) component of version 9.1.0.123 is the only component affected by this issue.

What should I do if I already deployed Intel® SCS 9.1.0.123?
If RCS from version 9.1.0.123 is not installed, no action is needed. Do not install RCS from version 9.1.0.123.

If RCS from version 9.1.0.123 is installed, you do not need to replace the OpenSSL DLL used by RCS to version 1.0.1.g. In order to mitigate the risk of exposed certificate keys and user data, Intel recommends that you revoke and reissue certificates and change passwords after the updates. The required steps are:

Step A. Get a copy of OpenSSL DLL files version 1.0.1.g.

Step B. To manually change the OpenSSL files:

  1. On the computer running the RCS, open the Services window and stop the RCS service (RCSService.exe).
  2. Browse to the service installation folder. The default location is: C:\Program Files (x86)\Intel\SCS9\Service
  3. Replace these two OpenSSL DLL files with the 1.0.1.g version:
    • libeay32.dll
    • ssleay32.dll
  4. Open the Services window and start the RCS service again:
    Open the Services Window and start the RCS service.

Step C. In order to mitigate the risk of exposed certificate keys and user data, Intel recommends that you:
  • Replace the PKI certificate used for remote configuration using PKI.
  • Run these maintenance tasks on all configured Intel® AMT systems:
    • RenewADPassword (to change the password of the Active Directory object representing the Intel® AMT system)
    • RenewAdminPassword (to change the password of the default Digest admin user in the Intel AMT device)
    • ReissueCertificates (to reissue the certificates stored in the Intel AMT device)