• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

OpenSSL Patches Six Vulnerabilities, Including a MitM Flaw

June 5, 2014 By Corey Nachreiner

OpenSSL CCS InjectionToday, the OpenSSL team released a critical update for their popular SSL/TLS package, which fixes six security vulnerabilities in their product, including a relatively serious Man-in-the-Middle (MitM) flaw. If you use OpenSSL, you should read up on these issues and update OpenSSL immediately. WatchGuard products, like many others that use OpenSSL, are affected by these issues to different extents. Our engineers are diligently working to release patches for these flaws as soon as possible.

OpenSSL is a very popular implementation of the SSL/TLS cryptography protocols, used to encrypt many network communications, including secure web communications. This week, the OpenSSL team released an update that fixes six vulnerabilities, including some publicly reported ones. Combined, the flaws affect all current versions of OpenSSL to some extent.

The flaws differ technically, and in scope and impact. For instance, one is a buffer overflow flaw that could allow attackers to execute code, assuming you use a particular OpenSSL feature (DTLS), while another allows attackers to crash OpenSSL, resulting in a Denial of Service (DoS) situation. However, the flaw recieving the most attention is a MitM vulnerability involving OpenSSL’s ChangeCipherSpec functionality. In short, if an attacker can get between a client and server, both of which have vulnerable versions of OpenSSL, he can exploit this flaw to decrypt SSL communications.

While this sounds fairly serious, there are a number of mitigating factor that lessen the severity of the MitM flaw. While all versions of the OpenSSL client are vulnerable to this issue, only two server versions are vulnerable. Also, very few client programs or devices use OpenSSL to make client connections. For instance, the popular browsers aren’t vulnerable to this issue. Finally, the attacker needs to intercept traffic between the client and server for this attack to succeed. Based on these factors, Android devices running on wireless networks pose the most risk, since Android is one of the platforms that uses the OpenSSL client, and wireless networks make it easier to intercept other’s traffic.

In the end, these flaws are not as severe as the previous Heartbleed vulnerability (attackers could exploit that from anywhere, without intercepting traffic). Nonetheless, we highly recommend OpenSSL administrators install the patch immediately, and start looking for updates from other vendors who use OpenSSL in their own products.

WatchGuard Products – (Updated on Jun-17)

Finally, WatchGuard appliances are affected by some of these vulnerabilities (to varying degrees). Although they do not have the same level of impact as Heartbleed, a broader range of OpenSSL versions are vulnerable. WatchGuard products impacted are:

  • Fireware XTM version 11.3 to 11.9 and associated WSM management software
  • SSL VPN clients for XTM
  • XCS
  • SSL VPN appliance

The level of risk is relatively low, but WatchGuard will release updated versions for all affected software for devices that are under support. Unlike Heartbleed, certificates do NOT need to be updated. Our IPS signature team has also released signatures to address one of the vulnerabilities (CVE-2014-3466) in signature set 4.422. Estimated release dates and version numbers for patched firmware, including SSL VPN clients, are:

  • XCS Hotfix – June 10th for version 10, June 11th for version 9. Posted!
  • 11.3.8 – June 12th (for e-Series devices) – Posted
  • 11.6.8 – June 13th (for XTM 21/22/23 devices) – Posted
  • 11.7.5 – June 12th – Posted
  • 11.8.4 – June 23rd – Posted
  • 11.9.1 – June 24th – Posted

These dates are subject to change depending on outcome of Quality Assurance process. WatchGuard will continue to provide latest information about these vulnerabilities and latest status on release dates in this blog post.

— Corey Nachreiner, CISSP (@SecAdept),  Brendan Patterson, CISSP

 

Share This:

Related

Filed Under: Security Bytes, WatchGuard Articles Tagged With: cryptography, exploit, heartbleed, OpenSSL, Software vulnerabilities, The Heartbleed bug, XCS

Comments

  1. Ken Bauer says

    June 9, 2014 at 7:02 am

    Do you have any updates on the patch release date?

    Reply
    • brendanpatt says

      June 10, 2014 at 12:15 am

      The blog post has been updated with expected release dates of the patches over the next week. There are several different firmware versions that will be released with the patch.

      Reply
      • Tom Ace says

        June 10, 2014 at 7:05 am

        Thanks, we really appreciate the updates.

        Reply
  2. Roger B.A. Klorese says

    June 10, 2014 at 9:37 am

    The hot fix for XCS 10.0 has been posted to LiveSecurity and to SCGate.

    Reply
    • Roger B.A. Klorese says

      June 13, 2014 at 8:38 am

      …As has a hotfix for XCS 9.2.

      Reply
  3. LoneWolf says

    June 24, 2014 at 5:41 pm

    While the post says XTM OS 11.8.4 is available and 11.9.1 is pending, I found the exact opposite logging into WatchGuard support. 11.9.1 is available; but 11.8.4 is nowhere to be found.

    Reply
  4. LoneWolf says

    June 27, 2014 at 6:36 am

    11.8.4 was released approximately 24 hours later. Thank you.

    Reply
  5. Diego Beat (@_DiegoBeat) says

    July 7, 2014 at 7:13 am

    hi, i have WatchGuard XTM 330, is necessary the update?

    Reply
    • Corey Nachreiner says

      July 7, 2014 at 9:43 am

      Yes, If you have any XTM appliance, you should update. At this point all the updates are out, including 11.9.1. If you have a 330, 11.9.1 is probably the one you want, but if you are sticking with 11.8.x for any reason, you can also install 11.8.4.

      Cheers,
      Corey

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Here Come The Regulations
  • Successfully Prosecuting a Russian Hacker

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use