New Release: Fireware XTM 11.8.3 Update 1
Yesterday we posted an update about the Heartbleed vulnerability (CVE-2014-0160) in OpenSSL. We are pleased to announce that 11.8.3 Update 1 is now available at the software download site with a critical patch to address this issue in WatchGuard appliances. We recommend you update immediately if you use Fireware XTM v11.8.x. This flaw does not affect appliances running Fireware XTM v11.7.4 or earlier.
WatchGuard is not aware of any breaches involving this vulnerability, but because of its critical nature and the length of time it has been available to exploit, we recommend that you take measures to change passwords and renew certificates used in your XTM device after you upgrade. We have published a knowledge base article with details on how to do this.
The WatchGuard IPS service now includes four signatures in the version 4.404 set that protect against exploits of the heartbleed vulnerability.
Does This Release Pertain to Me?
This release applies to all XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W appliances, but only those running 11.8.x versions of the firmware. Please read the Release Notes before you upgrade, to understand what’s involved.
What about other WatchGuard products?
WatchGuard SSL VPN, Dimension and the WSM Management software are not affected. Yesterday we reported that there is an impact on the SecureMail functionality in XCS. On further analysis, we’ve determined that this is even less than thought. The vulnerable OpenSSL library is used within XCS only for communications between the XCS appliance and our SecureMail encryption provider, Voltage. XCS acts as a client for those connections, not a listening server. Therefore, the flaw could only be exploited by Voltage themselves, and no one else; as such, we believe there is no actual risk. Nevertheless, we are building a hotfix that we hope to release by the end of the week.
How Do I Get the Fireware XTM Release?
XTM appliances owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Software section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article”, and “Known Issue” search options, and press the Go button.
If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)
Alan Mercer says
Brendan: What about Edge E-series which are not EOL as of yet and still commonly used?
brendanpatt says
Alan,
Only devices that run version 11.8 firmware are affected. Edge E-series cannot run 11.8 so they are not affected.
– Brendan
Eric Vollbrecht says
Are any other steps besides applying the updated needed? Shouldn’t any certificates created with the previous 11.8.x firmware be revoked and reissued? Should the device password be changed since the authentication webpage of the firewall was probably one of the components using OpenSSL?
Corey Nachreiner says
This should help:
http://customers.watchguard.com/articles/Article/Is-my-Firebox-or-XTM-device-affected-by-the-Heartbleed-vulnerability-CVE-2014-0160/?l=en_US&fs=Search&pn=1
Roger B.A. Klorese says
We will have a Knowledge Base article with detailed instructions up shortly. (Short answer: yes and yes.)
Gonzalo Parra says
Hi, I downloaded and installed the 11.8.3 U1 on our XTM boxes, but seems like the version number is not updated or at least does not show any indiacation that it is the U1 version in WSM. Using FSM I noticed the build version is 446065 but I don’t know what it was before, is this the correct build number for U1 or did I do something wrong?
brendanpatt says
Yes. That is the correct build number. We do not show Update 1 in the UI. Given the need to make an update available very quickly for this issue, we did not increment the minor revision number.
Jace says
So you’re going to charge me to make sure people can’t hack the firewall I bought from you?
Rouven says
I was wondering if we also need to update the sslvpn client? The latest openvpn client 2.3.3 contains OpenSSL 1.0.1g, but Watchguard is still using OpenVPN 2.1_rc9.
Rouven says
Ah, found out OpenVPN 2.1 rc9 is using OpenSSL 0.9.8h and should not be affective, but nevertheless I would appreciate if watchguard updates the client, because there were a lot of issues, bug and security flaws for those older versions.
brendanpatt says
Yes. The SSL VPN client is not affected by Heartbleed. We will look at upgrading the version used in the client in a future release.
obtaining a free credit report says
You will need to send a dispute letter to the credit bureaus and they
will investigate with your creditors. Only one website has your free
annual credit report and that is Annual – Credit
– Report. There are many types of direct lenders you
can choose from such as: banks, savings associations,
mortgage companies and credit unions.
Buy Twitter Followers instant delivery says
Today, I went to the beachfront with my children. I found
a sea shell and gave it to my 4 year old daughter and said “You can hear the ocean if you put this to your ear.” She put the shell to her ear and screamed.
There was a hermit crab inside and it pinched her ear.
She never wants to go back! LoL I know this is totally
off topic but I had to tell someone!