On Monday, the OpenSSL team released a critical update for their popular SSL/TLS package, which fixes a serious cryptographic weakness in their product. If you use OpenSSL, you should read up on this issue and update OpenSSL immediately. WatchGuard products, like many others that use OpenSSL, are affected by this issue. We are currently working on updates to fix the flaw.
OpenSSL is a very popular implementation of the SSL/TLS cryptography protocols, used to encrypt many network communications, including secure web communications. This week, a Google security researcher disclosed a serious vulnerability (CVE-2014-0160) that affects OpenSSL 1.0.1 – 1.0.1f (and 1.0.2-beta), which is colloquially being called “The Heartbleed Bug.” The issue does not affect OpenSSL 0.9.8 and below.
The flaw has to do with the TLS heartbeat extension. Without going into all the technical details, a remote attacker could exploit this flaw to repeatedly reveal 64K of memory contents from a SSL/TLS connected client or server. 64K of memory might seem small, but an attacker could repeatedly exploit this flaw to gather enough contents from memory to compromise SSL key material, certificates, usernames, passwords, and potentially gain access to your entire decrypted communications. For complete details on the flaw, including a FAQ answering the most common question, I recommend you check out the Heartbleed web page.
This is a very serious vulnerability to a package than many products rely on to secure web communications. If you use the 1.0.1 branch of OpenSSL yourself, you need to update to 1.0.1g. Furthermore, this flaw will likely affect many other products you might use. Be sure to look out for alerts from your vendors on this issue.
Finally, WatchGuard XTM and XCS appliances are affected by this vulnerability (to varying degrees). Our engineering team is currently working on a fix for the issue. We should be releasing an XTM 11.8.3 CSP update shortly, which will fix the issue for XTM appliances. By the way, the flaw only affect 11.8.x versions of XTM. If you are using XTM 11.7.x or below, it uses an older version of OpenSSL which is not affected by this issue. Also, the XCS appliances are only affected if you use SecureMail. Finally, WatchGuard’s SSL VPN appliances are NOT affected by the issue since they use older versions of OpenSSL.