Yesterday, LogMeIn announced that LogMeIn Pro used OpenSSL and released new versions for Windows and Mac that fix the vulnerabliity. We have been working with LogMeIn to ensure we have all required information to advise you on needed actions. Most of the resources Continuum monitors are already updated with the fixed version of LogMeIn Pro, however approximately 10% of servers and 30% of desktops are not.
In order to ensure your clients are no longer vulnerable, there are two critical actions to take immediately:
1. Verify machines have the updated version of LogMeIn Pro:
a. Windows: 184.108.40.20644 or above
b. Mac: 220.127.116.1145 or above
2. Once this verification is complete, change all passwords that can be used to access those machines or applications running on those machines. (more detail below)
You will find detailed instructions for verifying the version of LogMeInPro and many of the steps below at here. If you find sites or resources running an earlier version of LogMeIn Pro, we recommend these actions:
3. Check that your security restrictions do not block access to logmeincdn.http.internapcdn.net. If this URL is not accessible from any endpoint, LogMeIn will not be able to auto-update itself.
4. Be sure all machines are turned on and have network access.
5. Confirm that auto-update is enabled on each machine.
6. Use the Check Updates button in the LogMeIn Control Panel to force an immediate update.
7. If this fails you can run an executable to update to the latest version.
8. Please contact the NOC Product Support Team via chat for assistance if needed.
For maximum security, we recommend that you work with your clients to change every password in their environment. We also recommend that you change any password stored in the ITSupport Portal including passwords stored in the Password Vault, Application Vault, NIF and Free Flow. As communicated Thursday, the ITSupport Portal was not vulnerable to Heartbleed; however, because any password stored in the Portal could have been exposed during remote access (which uses LogMeIn), all passwords should be changed immediately.
We hope you find this information useful as we all work to respond to Heartbleed. Continuum is continuing to work on ways to help partners keeps their environments secure. Please watch our communications and blog for more advice and notifications.
For more information about Heartbleed as it relates to Continuum's portals, please view our blog post from Thursday.
By Steve Lowing
By Paula Griffin