• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • Daily Security Bytes
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Should WatchGuard Customer's FREAK Out About SSL?

March 6, 2015 By Corey Nachreiner

Last Tuesday, my Daily Security Byte video covered a new vulnerability that affected certain implementations of SSL; specifically ones that still use RSA’s export cipher suite (RSA_EXPORT).

Back in the day (1992 – 2000), the United States of America restricted the export of strong encryption to certain countries for political reasons. That meant encryption products, such as OpenSSL, had to ship with weaker “export” cipher suites, which were presumably easier for the US government to crack. With modern increases in processing power and the discovery of new cryptographic flaws, this export cipher suite is especially weak today, and easily cracked

This week, a French research team disclosed that many SSL implementations still ship with this weak RSA_EXPORT cipher suite. They warned that man-in-the-middle attackers can force vulnerable SSL clients and server into using this cipher, making it much easier for attackers to crack your encryption and read your decrypted SSL communications. At the original release time, the researcher stated this issue primarily affected Apple iOS and OS X, Google Android, and products that used older versions of OpenSSL. However, later in the week Microsoft warned that Windows was also vulnerability to this SSL flaw (I covered that in today’s video).

Though this flaw sounds bad, it only poses a medium to low risk. In order to exploit it, an attacker needs to be able to intercept your network traffic. While this might be relatively easy to do on public wireless networks, its more difficult to pull off on wired networks. Nonetheless, you still want to fix the flaw as soon as you can. If you use OpenSSL, make sure you’re running the latest versions (which don’t ship with the bad cipher). Apple, Google, and Microsoft all plan on releasing updates soon, but in some cases you can disable the vulnerable cipher suite in your SSL implementation. For instance, Microsoft describes how to use Group Policy to disable this cipher suite in the Workaround section of their advisory.

What about my WatchGuard products?

You may be wondering if your WatchGuard products are affected. The good news is most of our products are not vulnerable to this issue, with the exception on our SSL VPN appliances. Here’s the run down:

  • XTM appliances: Not Vulnerable (even E-Series products are not affected)
  • XCS appliances: Not Vulnerable
  • Wireless Access Points: Not Vulnerable
  • WatchGuard Dimension: Not Vulnerable
  • SSL VPN Appliances: Vulnerable

We will release an update for SSL VPN appliances in the future, and I’ll update this post when we do. In the meantime, the only way you expose this flaw is through its administrative user interface (UI). If you don’t expose the admin UI externally, Internet-based attackers cannot exploit this flaw against you. — Corey Nachreiner, CISSP (@SecAdept)

 

Share This:

Related

Filed Under: WatchGuard Articles Tagged With: FREAK, man-in-the-middle, MitM, SSL

Comments

  1. shuutech says

    March 8, 2015 at 2:07 pm

    User’s can do a simple browser test to find out if they are vulnerable or not https://freakattack.com/clienttest.html. If they are using a browser that isn’t affected (e.g. Chrome 41) and they are still getting a warning, they may have adware/malware

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • USA’s Answer to GDPR
  • Rolling PWN

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Private Sector Offensive Actors
  • USA’s Answer to GDPR
  • Rolling PWN
  • Over a Billion Records Leaked in Shanghai National Police Database Hack
  • LockBit Ransomware Group Introduces Bug Bounties and More
View All

Search

Archives

Copyright © 2022 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use