• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

The Heartbleed OpenSSL Vulnerability; Patch OpenSSL ASAP

April 8, 2014 By Corey Nachreiner

On Monday, the OpenSSL team released a critical update for their popular SSL/TLS package, which fixes a serious cryptographic weakness in their product. If you use OpenSSL, you should read up on this issue and update OpenSSL immediately. WatchGuard products, like many others that use OpenSSL, are affected by this issue. We are currently working on updates to fix the flaw.

OpenSSL is a very popular implementation of the SSL/TLS cryptography protocols, used to encrypt many network communications, including secure web communications. This week, a Google security researcher disclosed a serious vulnerability (CVE-2014-0160) that affects OpenSSL 1.0.1 – 1.0.1f (and 1.0.2-beta), which is colloquially being called “The Heartbleed Bug.” The issue does not affect OpenSSL 0.9.8 and below.

The flaw has to do with the TLS heartbeat extension. Without going into all the technical details, a remote attacker could exploit this flaw to repeatedly reveal 64K of memory contents from a SSL/TLS connected client or server. 64K of memory might seem small, but an attacker could repeatedly exploit this flaw to gather enough contents from memory to compromise SSL key material, certificates, usernames, passwords, and potentially gain access to your entire decrypted communications. For complete details on the flaw, including a FAQ answering the most common question, I recommend you check out the Heartbleed web page.

This is a very serious vulnerability to a package than many products rely on to secure web communications. If you use the 1.0.1 branch of OpenSSL yourself, you need to update to 1.0.1g. Furthermore, this flaw will likely affect many other products you might use. Be sure to look out for alerts from your vendors on this issue.

Finally, WatchGuard XTM and XCS appliances are affected by this vulnerability (to varying degrees). Our engineering team is currently working on a fix for the issue. We should be releasing an XTM 11.8.3 CSP update shortly, which will fix the issue for XTM appliances. By the way, the flaw only affect 11.8.x versions of XTM. If you are using XTM 11.7.x or below, it uses an older version of OpenSSL which is not affected by this issue. Also, the XCS appliances are only affected if you use SecureMail. Finally, WatchGuard’s SSL VPN appliances are NOT affected by the issue since they use older versions of OpenSSL.

Please keep an eye on this blog for more details as we will post the update as soon as it’s available and tested. — Corey Nachreiner, CISSP (@SecAdept

 

Share This:

Related

Filed Under: Security Bytes, WatchGuard Articles Tagged With: cryptography, exploit, OpenSSL, Software vulnerabilities, The Heartbleed bug

Comments

  1. Ryan says

    April 8, 2014 at 4:17 pm

    Make sure before you run off and wildly start updating/patching/revoking things that you manually check which version of openssl your box is using. I almost started going through the whole process and realized that the version I’m using (the 0.9.8 branch) is not vulnerable. Do your homework!

    Reply
  2. Roger B.A. Klorese says

    April 8, 2014 at 4:18 pm

    A few more details.

    1) For Fireware XTM: the releases that are affected are the 11.8.x versions. If you’re running an earlier version, you are not vulnerable to this. If you are running an 11.8.x version, you should update to 11.8.3 Update 1 as soon as it is posted.

    2) For XCS: the vulnerability applies only to users of SecureMail email encryption; other functions of the software use an earlier OpenSSL version, even on the latest release.

    — Roger Klorese
    Director, Product Management

    Reply
    • Roger B.A. Klorese says

      April 8, 2014 at 4:39 pm

      Also, the WatchGuard SSL dedicated appliances (SSL 100 and SSL 560) are not vulnerable.

      Reply
    • Roger B.A. Klorese says

      April 9, 2014 at 1:14 pm

      Also, WatchGuard Dimension is not affected.

      Reply
  3. Grant Emsley (@grantemsleypub) says

    April 9, 2014 at 9:20 am

    Any ETA available on the update?

    Reply
    • Roger B.A. Klorese says

      April 9, 2014 at 9:38 am

      We are testing it in production and in QA now. We are hoping to post it today — if not, tomorrow.

      Reply
  4. Grant Emsley (@grantemsleypub) says

    April 9, 2014 at 10:05 am

    And I assume anyone without a valid livesecurity subscription is out of luck? One of mine expired last week.

    Reply
    • Roger B.A. Klorese says

      April 9, 2014 at 10:20 am

      You need to check with Support.

      Reply
  5. Dave Teetz says

    April 9, 2014 at 11:38 am

    Should SecureMail be disabled until the patch is provided?

    Reply
    • Roger B.A. Klorese says

      April 9, 2014 at 1:02 pm

      The vulnerable OpenSSL library is used within XCS only for communications between the XCS appliance and our SecureMail encryption provider, Voltage. XCS acts as a client for those connections, not a listening server. Therefore, the flaw could only be exploited by Voltage themselves, and no one else; as such, we believe there is no actual risk. We are building a hotfix that we hope to release by the end of the week that will include a fix, but it is only for peace of mind (and the handful of other non-security bugs addressed in the hot fix); no need to make any changes immediately or disable SecureMail.

      Reply
      • Dave Teetz says

        April 9, 2014 at 1:19 pm

        Thank you.

        Reply
  6. Alia says

    April 9, 2014 at 12:36 pm

    Please let me know how soon will the patch be available?

    Reply
  7. Grant Emsley (@grantemsleypub) says

    April 9, 2014 at 1:02 pm

    Or at least a post on what services this affects and how to mitigate the risk in the mean time?

    Reply
  8. Ken Bauer says

    April 9, 2014 at 1:55 pm

    should i be watching the comments for when this is released or is there a better place?

    Reply
    • Roger B.A. Klorese says

      April 9, 2014 at 3:25 pm

      Fireware XTM 11.8.3 Update 1 is posted live now. There will be a more detailed post to this blog shortly.

      Here’s the summary notice:

      On 9 April 2014, WatchGuard released Fireware XTM v11.8.3 Update 1 in response to the reported “Heartbleed” vulnerability (CVE-2014-0160) in OpenSSL, which is widely used in web servers and network devices around the world. This update includes a critical patch to OpenSSL to address this vulnerability and we recommend that you update immediately if you use Fireware XTM v11.8.x. This does not affect anyone using Fireware XTM v11.7.4 or earlier. WatchGuard is not aware of any breaches involving the vulnerability, but because of its critical nature and the length of time it has been available to exploit, we recommend that you take measures to change passwords and renew certificates used in the XTM appliance. If you are using certificates issued by a Certificate Authority (CA), note that some CAs are reissuing certs at reduced or no cost.

      Reply
      • Alia says

        April 10, 2014 at 6:52 am

        Can you please tell me if you guys are working on the update for XCS secure email? and when will that be available for download? Thanks.

        Reply
      • Roger B.A. Klorese says

        April 10, 2014 at 7:40 am

        There is no exploitable vulnerability in XCS, even in SecureMail — the vulnerable OpenSSL library is used only for private connection between the appliance and the encryption server. All inbound connections use a version that is not vulnerable. There is no reason to wait for a fix.

        There will be an XCS hot fix posted later this week or early next week that does update the SSL library used for SecureMail — but the main purpose of the hot fix is to address other issues, and this one is conveniently going along for the ride.

        Reply
      • Steven says

        April 10, 2014 at 9:27 pm

        Hello. Is it possible to use information exchanged between Voltage and the Watchguard appliance to expose emails secured by the appliance?

        Reply
  9. Tommy says

    April 10, 2014 at 2:34 am

    scheduled updating from 11.8.3 to 11.8.3_u1 with central management fails for xmtv, xtm5xx, xtm2x devices, not so funny if you manage all your customers with this tool. Manual upgrade is working.

    Reply
  10. shaun atkinson says

    April 10, 2014 at 3:46 am

    Where is the update for XTMv on ESX? It’s not listed on the WG website.
    ETA?

    Reply
    • Roger B.A. Klorese says

      April 10, 2014 at 7:43 am

      Sorry, we missed it when we posted. It’s up now.

      Reply
  11. Steve J says

    April 11, 2014 at 6:17 am

    Is this only a high concern if you are doing SSL VPN (not branch office vpn)?

    Reply
  12. Steve J says

    April 11, 2014 at 6:39 am

    Okay I read more and it looks like this should be applied to all XTM 11.8 devices for the following reasons “For Fireware XTM, SSL is used for management connections to the Web UI, for user authentication on TCP port 4100, for Mobile VPN with SSL, and for HTTPS deep packet inspection. Since SSL encryption has been compromised, best practice recommendations are to update certificates and passwords used in your network security equipment and web servers. WatchGuard is not aware of any breaches involving WatchGuard devices and this vulnerability, but, because of its critical nature and the length of time it has been available to exploit, users should remain cautious and renew certificates, change passwords, and make new backup images. Instructions for these tasks are included below.”

    Reply
  13. Juan Sanchez says

    April 11, 2014 at 8:00 am

    Hello.
    Just to be clear, only the OS on the XTM appliance needs to be updated. Correct?

    Reply
  14. Cesar Alvarez says

    April 11, 2014 at 8:40 am

    After the upgrade to your XTM. Do the following to renew your self-certs.

    http://customers.watchguard.com/articles/Article/Is-my-Firebox-or-XTM-device-affected-by-the-Heartbleed-vulnerability-CVE-2014-0160/?l=en_US&fs=Search&pn=1

    Reply
    • MP says

      April 16, 2014 at 8:32 am

      Thank you for the link Cesar! I found a WatchGuard certificate labeled “O=WatchGuard, OU=Engineering” lower down in the list when you check “Show trusted CAs for proxies”. It is also an older certificate, so does it need to be deleted as well? If so, will it be regenerated on reboot? Thank you.

      Reply
      • Roger B.A. Klorese says

        April 17, 2014 at 3:09 pm

        Yes.

        Reply
    • MP says

      May 13, 2014 at 7:57 am

      Deleting the self-signed certificates, does it include those with an organization of “WatchGuard_Technologies” as well? Like the Web Server and CA Cert certificates? Thank you.

      Reply
  15. battery chargers for cars says

    April 23, 2014 at 7:02 am

    It’s appropriate time to make a few plans for the long run and it’s time to be happy.

    I’ve learn this submit and if I may just I want to recommend you some fascinating things or suggestions.

    Maybe you could write next articles referring to this article.
    I want to read even more issues approximately it!

    Reply
  16. Alia says

    June 5, 2014 at 12:14 pm

    Is there anything with XCS’s and Voltage secure email that we have to worry about?
    http://www.zdnet.com/openssl-fixes-another-severe-vulnerability-7000030253/

    Reply
    • Corey Nachreiner says

      June 5, 2014 at 12:31 pm

      We’ll post an alert soon. XCS is not affected. WSM and Dimension are technically affected by some of the vulns, but not in a way that would be exploited realistically in the real world. However, XTM Fireware itself is affected by some of these new flaws. We are working on patching now.

      Cheers, Corey

      From: WatchGuard Security Center <[email protected]> Reply-To: “[email protected]” <[email protected]> Date: Thursday, June 5, 2014 at 12:14 PM To: Foo <[email protected]> Subject: [WatchGuard Security Center] Comment: “The Heartbleed OpenSSL Vulnerability; Patch OpenSSL ASAP”

      Reply
  17. HelareJack says

    June 18, 2014 at 11:06 pm

    nice information
    Patching

    Reply
  18. oven convection says

    July 24, 2014 at 1:25 pm

    Nice blog here! Additionally your site so much up fast! What host are you the use of?

    Can I get your associate link on your host? I wish my web site
    loaded up as quickly as yours lol

    Reply
  19. web hosting for freelancers says

    August 27, 2014 at 11:40 am

    It’s awesome to go to see this site and reading the views of all mates regarding this article,
    while I am also keen of getting experience.

    Reply
  20. Sabina says

    October 5, 2014 at 4:53 pm

    Thanks to my father who shared with me about this web site, this webpage
    is really awesome.

    Reply
  21. Nia Parent says

    March 5, 2015 at 2:46 am

    He is from Jordan Cluff

    Reply
  22. download netlabel says

    September 13, 2015 at 2:41 am

    your phone. In many cases, no matter how good your copy is, you will find that certain ezine simply will not be responsive to your email.

    the expert that knows exactly how to solve their problems.

    Reply
  23. Dragonkicks Deal says

    June 19, 2016 at 6:56 pm

    A smooth colorway coming for the ladies. The Girls Air Jordan Retro 12 ‘Hyper Violet’ is just a week from making it into your closet and with the majority of this sneaker being black, it’s the perfect mixup to your Jordan rotation. Not like other bright Grade School colorways, the hits of Hyper Violet against the Black is the touch of character that will keep eyes locked on these kicks. Ladies, make sure you’re rockin the latest with your girls and size down 1.5 for a good fit.From to:http://www.dragon-kicks.com

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Here Come The Regulations
  • Successfully Prosecuting a Russian Hacker

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use