Addressing OpenSSL CVE-2014-0160 Heartbleed Issue Affecting Intel® Setup and Configuration Software (Intel® SCS) Version 184.108.40.206 Remote Configuration Service (RCS)
What am I seeing?
The OpenSSL CVE-2014-0160 Heartbleed issue affects the Intel® Setup and Configuration Software (Intel® SCS) version 9.1 (version 220.127.116.11). Intel® SCS 9.0 and earlier versions are not affected.
What's the current solution?
Intel® SCS 18.104.22.168 (b) includes updates to the OpenSSL CVE-2014-0160 issue by updating the OpenSSL DLL to version 1.0.1.g, which is not affected.
What functionality of Intel® SCS 22.214.171.124 is affected?
The Intel SCS Remote Configuration Service (RCS) component of version 126.96.36.199 is the only component affected by this issue.
What should I do if I already deployed Intel® SCS 188.8.131.52?
If RCS from version 184.108.40.206 is not installed, no action is needed. Do not install RCS from version 220.127.116.11.
If RCS from version 18.104.22.168 is installed, you do not need to replace the OpenSSL DLL used by RCS to version 1.0.1.g. In order to mitigate the risk of exposed certificate keys and user data, Intel recommends that you revoke and reissue certificates and change passwords after the updates. The required steps are:
Step A. Get a copy of OpenSSL DLL files version 1.0.1.g.
Step B. To manually change the OpenSSL files:
- On the computer running the RCS, open the Services window and stop the RCS service (RCSService.exe).
- Browse to the service installation folder. The default location is: C:\Program Files (x86)\Intel\SCS9\Service
- Replace these two OpenSSL DLL files with the 1.0.1.g version:
- Open the Services window and start the RCS service again:
Step C. In order to mitigate the risk of exposed certificate keys and user data, Intel recommends that you:
- Replace the PKI certificate used for remote configuration using PKI.
- Run these maintenance tasks on all configured Intel® AMT systems:
- RenewADPassword (to change the password of the Active Directory object representing the Intel® AMT system)
- RenewAdminPassword (to change the password of the default Digest admin user in the Intel AMT device)
- ReissueCertificates (to reissue the certificates stored in the Intel AMT device)