The Heartbleed OpenSSL Vulnerability; Patch OpenSSL ASAP

On Monday, the OpenSSL team released a critical update for their popular SSL/TLS package, which fixes a serious cryptographic weakness in their product. If you use OpenSSL, you should read up on this issue and update OpenSSL immediately. WatchGuard products, like many others that use OpenSSL, are affected by this issue. We are currently working on updates to fix the flaw.

OpenSSL is a very popular implementation of the SSL/TLS cryptography protocols, used to encrypt many network communications, including secure web communications. This week, a Google security researcher disclosed a serious vulnerability (CVE-2014-0160) that affects OpenSSL 1.0.1 – 1.0.1f (and 1.0.2-beta), which is colloquially being called “The Heartbleed Bug.” The issue does not affect OpenSSL 0.9.8 and below.

The flaw has to do with the TLS heartbeat extension. Without going into all the technical details, a remote attacker could exploit this flaw to repeatedly reveal 64K of memory contents from a SSL/TLS connected client or server. 64K of memory might seem small, but an attacker could repeatedly exploit this flaw to gather enough contents from memory to compromise SSL key material, certificates, usernames, passwords, and potentially gain access to your entire decrypted communications. For complete details on the flaw, including a FAQ answering the most common question, I recommend you check out the Heartbleed web page.

This is a very serious vulnerability to a package than many products rely on to secure web communications. If you use the 1.0.1 branch of OpenSSL yourself, you need to update to 1.0.1g. Furthermore, this flaw will likely affect many other products you might use. Be sure to look out for alerts from your vendors on this issue.

Finally, WatchGuard XTM and XCS appliances are affected by this vulnerability (to varying degrees). Our engineering team is currently working on a fix for the issue. We should be releasing an XTM 11.8.3 CSP update shortly, which will fix the issue for XTM appliances. By the way, the flaw only affect 11.8.x versions of XTM. If you are using XTM 11.7.x or below, it uses an older version of OpenSSL which is not affected by this issue. Also, the XCS appliances are only affected if you use SecureMail. Finally, WatchGuard’s SSL VPN appliances are NOT affected by the issue since they use older versions of OpenSSL.

Please keep an eye on this blog for more details as we will post the update as soon as it’s available and tested. — Corey Nachreiner, CISSP (@SecAdept

 

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

34 Responses to “The Heartbleed OpenSSL Vulnerability; Patch OpenSSL ASAP”

  1. Make sure before you run off and wildly start updating/patching/revoking things that you manually check which version of openssl your box is using. I almost started going through the whole process and realized that the version I’m using (the 0.9.8 branch) is not vulnerable. Do your homework!

  2. A few more details.

    1) For Fireware XTM: the releases that are affected are the 11.8.x versions. If you’re running an earlier version, you are not vulnerable to this. If you are running an 11.8.x version, you should update to 11.8.3 Update 1 as soon as it is posted.

    2) For XCS: the vulnerability applies only to users of SecureMail email encryption; other functions of the software use an earlier OpenSSL version, even on the latest release.

    — Roger Klorese
    Director, Product Management

    • Roger B.A. Klorese Reply April 9, 2014 at 9:38 am

      We are testing it in production and in QA now. We are hoping to post it today — if not, tomorrow.

  3. And I assume anyone without a valid livesecurity subscription is out of luck? One of mine expired last week.

  4. Should SecureMail be disabled until the patch is provided?

    • Roger B.A. Klorese Reply April 9, 2014 at 1:02 pm

      The vulnerable OpenSSL library is used within XCS only for communications between the XCS appliance and our SecureMail encryption provider, Voltage. XCS acts as a client for those connections, not a listening server. Therefore, the flaw could only be exploited by Voltage themselves, and no one else; as such, we believe there is no actual risk. We are building a hotfix that we hope to release by the end of the week that will include a fix, but it is only for peace of mind (and the handful of other non-security bugs addressed in the hot fix); no need to make any changes immediately or disable SecureMail.

  5. Please let me know how soon will the patch be available?

  6. Or at least a post on what services this affects and how to mitigate the risk in the mean time?

  7. should i be watching the comments for when this is released or is there a better place?

    • Roger B.A. Klorese Reply April 9, 2014 at 3:25 pm

      Fireware XTM 11.8.3 Update 1 is posted live now. There will be a more detailed post to this blog shortly.

      Here’s the summary notice:

      On 9 April 2014, WatchGuard released Fireware XTM v11.8.3 Update 1 in response to the reported “Heartbleed” vulnerability (CVE-2014-0160) in OpenSSL, which is widely used in web servers and network devices around the world. This update includes a critical patch to OpenSSL to address this vulnerability and we recommend that you update immediately if you use Fireware XTM v11.8.x. This does not affect anyone using Fireware XTM v11.7.4 or earlier. WatchGuard is not aware of any breaches involving the vulnerability, but because of its critical nature and the length of time it has been available to exploit, we recommend that you take measures to change passwords and renew certificates used in the XTM appliance. If you are using certificates issued by a Certificate Authority (CA), note that some CAs are reissuing certs at reduced or no cost.

      • Can you please tell me if you guys are working on the update for XCS secure email? and when will that be available for download? Thanks.

      • Roger B.A. Klorese April 10, 2014 at 7:40 am

        There is no exploitable vulnerability in XCS, even in SecureMail — the vulnerable OpenSSL library is used only for private connection between the appliance and the encryption server. All inbound connections use a version that is not vulnerable. There is no reason to wait for a fix.

        There will be an XCS hot fix posted later this week or early next week that does update the SSL library used for SecureMail — but the main purpose of the hot fix is to address other issues, and this one is conveniently going along for the ride.

      • Hello. Is it possible to use information exchanged between Voltage and the Watchguard appliance to expose emails secured by the appliance?

  8. scheduled updating from 11.8.3 to 11.8.3_u1 with central management fails for xmtv, xtm5xx, xtm2x devices, not so funny if you manage all your customers with this tool. Manual upgrade is working.

  9. Where is the update for XTMv on ESX? It’s not listed on the WG website.
    ETA?

  10. Is this only a high concern if you are doing SSL VPN (not branch office vpn)?

  11. Okay I read more and it looks like this should be applied to all XTM 11.8 devices for the following reasons “For Fireware XTM, SSL is used for management connections to the Web UI, for user authentication on TCP port 4100, for Mobile VPN with SSL, and for HTTPS deep packet inspection. Since SSL encryption has been compromised, best practice recommendations are to update certificates and passwords used in your network security equipment and web servers. WatchGuard is not aware of any breaches involving WatchGuard devices and this vulnerability, but, because of its critical nature and the length of time it has been available to exploit, users should remain cautious and renew certificates, change passwords, and make new backup images. Instructions for these tasks are included below.”

  12. Hello.
    Just to be clear, only the OS on the XTM appliance needs to be updated. Correct?

    • Thank you for the link Cesar! I found a WatchGuard certificate labeled “O=WatchGuard, OU=Engineering” lower down in the list when you check “Show trusted CAs for proxies”. It is also an older certificate, so does it need to be deleted as well? If so, will it be regenerated on reboot? Thank you.

    • Deleting the self-signed certificates, does it include those with an organization of “WatchGuard_Technologies” as well? Like the Web Server and CA Cert certificates? Thank you.

  13. It’s appropriate time to make a few plans for the long run and it’s time to be happy.

    I’ve learn this submit and if I may just I want to recommend you some fascinating things or suggestions.

    Maybe you could write next articles referring to this article.
    I want to read even more issues approximately it!

  14. Is there anything with XCS’s and Voltage secure email that we have to worry about?

    http://www.zdnet.com/openssl-fixes-another-severe-vulnerability-7000030253/

    • We’ll post an alert soon. XCS is not affected. WSM and Dimension are technically affected by some of the vulns, but not in a way that would be exploited realistically in the real world. However, XTM Fireware itself is affected by some of these new flaws. We are working on patching now.

      Cheers, Corey

      From: WatchGuard Security Center <comment-reply@wordpress.com> Reply-To: “comment+ed4tg24sdsrhocquwejz7gj0i6s@comment.wordpress.com” <comment+ed4tg24sdsrhocquwejz7gj0i6s@comment.wordpress.com> Date: Thursday, June 5, 2014 at 12:14 PM To: Foo <corey.nachreiner@watchguard.com> Subject: [WatchGuard Security Center] Comment: “The Heartbleed OpenSSL Vulnerability; Patch OpenSSL ASAP”

  15. Nice blog here! Additionally your site so much up fast! What host are you the use of?

    Can I get your associate link on your host? I wish my web site
    loaded up as quickly as yours lol

  16. It’s awesome to go to see this site and reading the views of all mates regarding this article,
    while I am also keen of getting experience.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 7,619 other followers

%d bloggers like this: