Early this month, I reported a new OpenSSL vulnerability in one of my Daily Security Byte videos. At a high-level, vulnerable OpenSSL servers configured to negotiate Diffie-Hellman keys in a particular way were vulnerable to a “key recovery” attack. By sending many specially crafted connections to a vulnerable server, an attacker could exploit this flaw to recover the server’s private key, and decrypt its communications.
Many of WatchGuard products weren’t vulnerable to this flaw since we don’t configure OpenSSL in the way necessary to expose the issue. However, our log collecter, which is present in both WatchGuard System Manager (WSM) and Dimension™, was vulnerable to the flaw.
Dimension 2.0.1 Update 1 fixes this OpenSSL vulnerability (CVE-2016-0701). If you use Dimension™—especially if you expose its logging service publicly—you should download and install this Dimension™ update as soon as you can. Check the Release Notes for more details on what the update fixes, and how to install it.
Finally, you can learn more about this vulnerability, and how it affects our products, in the Knowledge Base article dedicated to the flaw.— Corey Nachreiner, CISSP (@SecAdept)
Leave a Reply