New Release: Fireware XTM 11.8.3 Update 1
Yesterday we posted an update about the Heartbleed vulnerability (CVE-2014-0160) in OpenSSL. We are pleased to announce that 11.8.3 Update 1 is now available at the software download site with a critical patch to address this issue in WatchGuard appliances. We recommend you update immediately if you use Fireware XTM v11.8.x. This flaw does not affect appliances running Fireware XTM v11.7.4 or earlier.
WatchGuard is not aware of any breaches involving this vulnerability, but because of its critical nature and the length of time it has been available to exploit, we recommend that you take measures to change passwords and renew certificates used in your XTM device after you upgrade. We have published a knowledge base article with details on how to do this.
The WatchGuard IPS service now includes four signatures in the version 4.404 set that protect against exploits of the heartbleed vulnerability.
Does This Release Pertain to Me?
This release applies to all XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W appliances, but only those running 11.8.x versions of the firmware. Please read the Release Notes before you upgrade, to understand what’s involved.
What about other WatchGuard products?
WatchGuard SSL VPN, Dimension and the WSM Management software are not affected. Yesterday we reported that there is an impact on the SecureMail functionality in XCS. On further analysis, we’ve determined that this is even less than thought. The vulnerable OpenSSL library is used within XCS only for communications between the XCS appliance and our SecureMail encryption provider, Voltage. XCS acts as a client for those connections, not a listening server. Therefore, the flaw could only be exploited by Voltage themselves, and no one else; as such, we believe there is no actual risk. Nevertheless, we are building a hotfix that we hope to release by the end of the week.
How Do I Get the Fireware XTM Release?
XTM appliances owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Software section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article”, and “Known Issue” search options, and press the Go button.
If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)