On Monday, the OpenSSL team released a critical update for their popular SSL/TLS package, which fixes a serious cryptographic weakness in their product. If you use OpenSSL, you should read up on this issue and update OpenSSL immediately. WatchGuard products, like many others that use OpenSSL, are affected by this issue. We are currently working on updates to fix the flaw.
OpenSSL is a very popular implementation of the SSL/TLS cryptography protocols, used to encrypt many network communications, including secure web communications. This week, a Google security researcher disclosed a serious vulnerability (CVE-2014-0160) that affects OpenSSL 1.0.1 – 1.0.1f (and 1.0.2-beta), which is colloquially being called “The Heartbleed Bug.” The issue does not affect OpenSSL 0.9.8 and below.
The flaw has to do with the TLS heartbeat extension. Without going into all the technical details, a remote attacker could exploit this flaw to repeatedly reveal 64K of memory contents from a SSL/TLS connected client or server. 64K of memory might seem small, but an attacker could repeatedly exploit this flaw to gather enough contents from memory to compromise SSL key material, certificates, usernames, passwords, and potentially gain access to your entire decrypted communications. For complete details on the flaw, including a FAQ answering the most common question, I recommend you check out the Heartbleed web page.
This is a very serious vulnerability to a package than many products rely on to secure web communications. If you use the 1.0.1 branch of OpenSSL yourself, you need to update to 1.0.1g. Furthermore, this flaw will likely affect many other products you might use. Be sure to look out for alerts from your vendors on this issue.
Finally, WatchGuard XTM and XCS appliances are affected by this vulnerability (to varying degrees). Our engineering team is currently working on a fix for the issue. We should be releasing an XTM 11.8.3 CSP update shortly, which will fix the issue for XTM appliances. By the way, the flaw only affect 11.8.x versions of XTM. If you are using XTM 11.7.x or below, it uses an older version of OpenSSL which is not affected by this issue. Also, the XCS appliances are only affected if you use SecureMail. Finally, WatchGuard’s SSL VPN appliances are NOT affected by the issue since they use older versions of OpenSSL.
Please keep an eye on this blog for more details as we will post the update as soon as it’s available and tested. — Corey Nachreiner, CISSP (@SecAdept
Ryan says
Make sure before you run off and wildly start updating/patching/revoking things that you manually check which version of openssl your box is using. I almost started going through the whole process and realized that the version I’m using (the 0.9.8 branch) is not vulnerable. Do your homework!
Roger B.A. Klorese says
A few more details.
1) For Fireware XTM: the releases that are affected are the 11.8.x versions. If you’re running an earlier version, you are not vulnerable to this. If you are running an 11.8.x version, you should update to 11.8.3 Update 1 as soon as it is posted.
2) For XCS: the vulnerability applies only to users of SecureMail email encryption; other functions of the software use an earlier OpenSSL version, even on the latest release.
— Roger Klorese
Director, Product Management
Roger B.A. Klorese says
Also, the WatchGuard SSL dedicated appliances (SSL 100 and SSL 560) are not vulnerable.
Roger B.A. Klorese says
Also, WatchGuard Dimension is not affected.
Grant Emsley (@grantemsleypub) says
Any ETA available on the update?
Roger B.A. Klorese says
We are testing it in production and in QA now. We are hoping to post it today — if not, tomorrow.
Grant Emsley (@grantemsleypub) says
And I assume anyone without a valid livesecurity subscription is out of luck? One of mine expired last week.
Roger B.A. Klorese says
You need to check with Support.
Dave Teetz says
Should SecureMail be disabled until the patch is provided?
Roger B.A. Klorese says
The vulnerable OpenSSL library is used within XCS only for communications between the XCS appliance and our SecureMail encryption provider, Voltage. XCS acts as a client for those connections, not a listening server. Therefore, the flaw could only be exploited by Voltage themselves, and no one else; as such, we believe there is no actual risk. We are building a hotfix that we hope to release by the end of the week that will include a fix, but it is only for peace of mind (and the handful of other non-security bugs addressed in the hot fix); no need to make any changes immediately or disable SecureMail.
Dave Teetz says
Thank you.
Alia says
Please let me know how soon will the patch be available?
Grant Emsley (@grantemsleypub) says
Or at least a post on what services this affects and how to mitigate the risk in the mean time?
Ken Bauer says
should i be watching the comments for when this is released or is there a better place?
Roger B.A. Klorese says
Fireware XTM 11.8.3 Update 1 is posted live now. There will be a more detailed post to this blog shortly.
Here’s the summary notice:
On 9 April 2014, WatchGuard released Fireware XTM v11.8.3 Update 1 in response to the reported “Heartbleed” vulnerability (CVE-2014-0160) in OpenSSL, which is widely used in web servers and network devices around the world. This update includes a critical patch to OpenSSL to address this vulnerability and we recommend that you update immediately if you use Fireware XTM v11.8.x. This does not affect anyone using Fireware XTM v11.7.4 or earlier. WatchGuard is not aware of any breaches involving the vulnerability, but because of its critical nature and the length of time it has been available to exploit, we recommend that you take measures to change passwords and renew certificates used in the XTM appliance. If you are using certificates issued by a Certificate Authority (CA), note that some CAs are reissuing certs at reduced or no cost.
Alia says
Can you please tell me if you guys are working on the update for XCS secure email? and when will that be available for download? Thanks.
Roger B.A. Klorese says
There is no exploitable vulnerability in XCS, even in SecureMail — the vulnerable OpenSSL library is used only for private connection between the appliance and the encryption server. All inbound connections use a version that is not vulnerable. There is no reason to wait for a fix.
There will be an XCS hot fix posted later this week or early next week that does update the SSL library used for SecureMail — but the main purpose of the hot fix is to address other issues, and this one is conveniently going along for the ride.
Steven says
Hello. Is it possible to use information exchanged between Voltage and the Watchguard appliance to expose emails secured by the appliance?
Tommy says
scheduled updating from 11.8.3 to 11.8.3_u1 with central management fails for xmtv, xtm5xx, xtm2x devices, not so funny if you manage all your customers with this tool. Manual upgrade is working.
shaun atkinson says
Where is the update for XTMv on ESX? It’s not listed on the WG website.
ETA?
Roger B.A. Klorese says
Sorry, we missed it when we posted. It’s up now.
Steve J says
Is this only a high concern if you are doing SSL VPN (not branch office vpn)?
Steve J says
Okay I read more and it looks like this should be applied to all XTM 11.8 devices for the following reasons “For Fireware XTM, SSL is used for management connections to the Web UI, for user authentication on TCP port 4100, for Mobile VPN with SSL, and for HTTPS deep packet inspection. Since SSL encryption has been compromised, best practice recommendations are to update certificates and passwords used in your network security equipment and web servers. WatchGuard is not aware of any breaches involving WatchGuard devices and this vulnerability, but, because of its critical nature and the length of time it has been available to exploit, users should remain cautious and renew certificates, change passwords, and make new backup images. Instructions for these tasks are included below.”
Juan Sanchez says
Hello.
Just to be clear, only the OS on the XTM appliance needs to be updated. Correct?
Cesar Alvarez says
After the upgrade to your XTM. Do the following to renew your self-certs.
http://customers.watchguard.com/articles/Article/Is-my-Firebox-or-XTM-device-affected-by-the-Heartbleed-vulnerability-CVE-2014-0160/?l=en_US&fs=Search&pn=1
MP says
Thank you for the link Cesar! I found a WatchGuard certificate labeled “O=WatchGuard, OU=Engineering” lower down in the list when you check “Show trusted CAs for proxies”. It is also an older certificate, so does it need to be deleted as well? If so, will it be regenerated on reboot? Thank you.
Roger B.A. Klorese says
Yes.
MP says
Deleting the self-signed certificates, does it include those with an organization of “WatchGuard_Technologies” as well? Like the Web Server and CA Cert certificates? Thank you.
battery chargers for cars says
It’s appropriate time to make a few plans for the long run and it’s time to be happy.
I’ve learn this submit and if I may just I want to recommend you some fascinating things or suggestions.
Maybe you could write next articles referring to this article.
I want to read even more issues approximately it!
Alia says
Is there anything with XCS’s and Voltage secure email that we have to worry about?
http://www.zdnet.com/openssl-fixes-another-severe-vulnerability-7000030253/
Corey Nachreiner says
We’ll post an alert soon. XCS is not affected. WSM and Dimension are technically affected by some of the vulns, but not in a way that would be exploited realistically in the real world. However, XTM Fireware itself is affected by some of these new flaws. We are working on patching now.
Cheers, Corey
From: WatchGuard Security Center <[email protected]> Reply-To: “[email protected]” <[email protected]> Date: Thursday, June 5, 2014 at 12:14 PM To: Foo <[email protected]> Subject: [WatchGuard Security Center] Comment: “The Heartbleed OpenSSL Vulnerability; Patch OpenSSL ASAP”
HelareJack says
nice information
Patching
oven convection says
Nice blog here! Additionally your site so much up fast! What host are you the use of?
Can I get your associate link on your host? I wish my web site
loaded up as quickly as yours lol
web hosting for freelancers says
It’s awesome to go to see this site and reading the views of all mates regarding this article,
while I am also keen of getting experience.
Sabina says
Thanks to my father who shared with me about this web site, this webpage
is really awesome.
Nia Parent says
He is from Jordan Cluff
download netlabel says
your phone. In many cases, no matter how good your copy is, you will find that certain ezine simply will not be responsive to your email.
the expert that knows exactly how to solve their problems.
Dragonkicks Deal says
A smooth colorway coming for the ladies. The Girls Air Jordan Retro 12 ‘Hyper Violet’ is just a week from making it into your closet and with the majority of this sneaker being black, it’s the perfect mixup to your Jordan rotation. Not like other bright Grade School colorways, the hits of Hyper Violet against the Black is the touch of character that will keep eyes locked on these kicks. Ladies, make sure you’re rockin the latest with your girls and size down 1.5 for a good fit.From to:http://www.dragon-kicks.com