Archive | WatchGuard Software RSS feed for this section

WatchGuard Breaks Logjam and Protects Encrypted Connections

This week, a group of university researchers disclosed a new vulnerability affecting the Diffie-Hellman key exchange. The Diffie-Hellman (DH) key exchange is a cryptographic method for two systems to establish a shared secret over a public communication channel, which they later use to encrypt their communications. Many encryption protocols, including HTTPS, SMTPS, IPSec VPN, SSH, and other TLS implementations, use it to set up shared secrets.

According to these researchers’ whitepaper, the Diffie-Hellman key exchange suffers from an implementation flaw that attackers can exploit to downgrade your shared key’s strength, making it easier to crack your encryption. To pull off the attack, a bad actor first needs to perform a man-in-the-middle (MitM) attack in order to capture and manipulate your communications with the other host. Once they intercept your communications, the attacker can force the DH key exchange to use the DHE_EXPORT cipher, which limits the shared secret to a 512-byte key.

You may remember me talking about export ciphers in our previous FREAK advisory. Back in the day (1992 – 2000), the United States of America restricted the export of strong encryption to certain countries for political reasons. That meant many encryption products had to ship with weaker “export” cipher suites, which were presumably easier for the US government to crack. The DHE_EXPORT is the weaker cipher that ships with many DH implementations. With modern increases in processing power and the discovery of new cryptographic flaws, the 512-byte keys produced by this export cipher is especially weak today, and easily cracked. In fact, the researchers who found this flaw even allege that state sponsored actors may even be able to crack 1024-bit keys today. In short, you do no want to rely on encrypted connections that use a 512-bit key.

Though this new DH flaw sounds bad, it only poses a medium to low risk. In order to exploit it, an attacker needs to be able to intercept your network traffic. While this might be relatively easy to do on public wireless networks, its more difficult to pull off on wired networks (unless you are a nation state). Nonetheless, you still want to fix the flaw as soon as you can. Here are a few mitigation tips:

  • Disable the DHE_EXPORT cipher. If you manage any products that use the Diffie-Hellman key exchange, you should remove the DHE_EXPORT cipher from their list of accepted ciphers. Many products, including web servers, email servers, VPN products, SSH servers, and more, use the Diffie-Hellman key negotiation, so you’ll likely have many products to check.  I suspect many manufacturers will release patches to disable the DHE_EXPORT cipher for you.
  • Deploy Elliptic-Curve Diffie-Hellman (ECDHE). This more modern key exchange is more resilient to known cryptanalytic attacks. See the researchers deployment guide for more details.
  • Use strong 2048-bit keys for fixed groups. You should generate 2048-bit keys or stronger for DH groups on your web servers. Again, see the deployment guide for more details.
  • Update your web browsers. At the time of this writing, Internet Explorer is the only browser that has been patched to not use the DHE_EXPORT cipher. I expect Mozilla, Google, and others to release updates soon. Be sure to update your browsers as soon as patches become available.
  • Use WatchGuard’s HTTPS ALG. If you’re a WatchGuard XTM customer, our HTTPS proxy can protect your users from this attack. See the details below.

What about my WatchGuard products?

You may be wondering if your WatchGuard products are affected. The good news is most of our products are not vulnerable to this issue, with the exception on our SSL VPN appliances. Here’s the run down:

  • XTM appliances: Not Vulnerable
  • XCS appliances: Not Vulnerable 
  • Wireless Access Points: Not Vulnerable
  • WatchGuard Dimension: Not Vulnerable
  • SSL VPN Appliances: Vulnerable.
    • Our SSL VPN Appliance supports the DHE_EXPORT cipher. By default, we don’t allow use of this cipher in the Application Portal, but we do in the Administrative Web UI. You can mitigate this vulnerability by limiting external access to the Web UI, or by proxying the Web UI through the Application portal. We’ll release an update to completely remove the DHE_EXPORT cipher in the future. 

More importantly, WatchGuard XTM appliances can actually help protect you from the Logjam vulnerability, if you use our HTTPS application layer gateway (ALG). Our HTTPS ALG temporarily decrypts HTTPS connections going through our appliance, so it can apply security services, such as antivirus and intrusion protection, to otherwise encrypted traffic. Furthermore, if you are using our HTTPS proxy with deep packet inspection enabled, it performs additional security functions including not allowing the use of the DHE_EXPORT cipher. Even if your users browse with unpatched web browsers that support the weak cipher, our HTTPS proxy will not allow them to establish connections with this weaker cipher. If you haven’t configured the HTTPS ALG on your XTM device, you may want to consider it.

If you’d like more details about this flaw, see the references below:

— Corey Nachreiner, CISSP (@SecAdept)

 

SC Magazine awards Firebox M440 with Five Stars, Named ‘Pick of the Litter’

The Firebox M440 continues to rack up the accolades! Most recently, SC Magazine published the results of its Security Information and Event Management (SIEM) and Unified Threat Management (UTM) product group test. M440 not only received a 5-star rating, but also their coveted “recommended” stamp of approval. Moreover, it was called the “pick of the litter” of the group that included Check Point Software, Cyberoam, Dell SonicWALL, LogRhythm, McAfee, NetIQ, SolarWinds, and more.

The Firebox M440 delivers the same strong security, high performance and flexible management tools that distinguish WatchGuard’s other UTM and Next-Generation Firewall (NGFW) solutions, but this model also delivers robust port density with 25 1 Gb Ethernet ports and two 10 Gb SFP+ (fiber) ports. This removes the need for complex configurations such as VLANs and instantly simplifying the critical process of applying traffic-appropriate policies across multiple network segments.

The lab shelled out praise left and right – noting the M440’s simple set-up and great documentation, a well-designed user interface, and calling WatchGuard Dimension™ an “outstanding feature” for visibility into the network. The review also said it was easy to use, expandable and offers very good value for the price.

SC Magazine stated the Firebox M440 is “a true enterprise-grade UTM device with massive throughput and some of the best all-in-one capability in its class.”

The M440 was also awarded a 5-star review and named Editor’s Choice by IT Pro, calling it “a powerful beast” with a superb range of security features. In addition, it won Security Product of the Year by Network Computing Magazine. To see a full list of WatchGuard awards, click here.

New Releases: Fireware and WSM version 11.9.5

red-wedge_smart-securityWatchGuard is pleased to announce the release of Fireware 11.9.5 and WSM 11.9.5. These maintenance releases provide many bug fixes, with full details outlined in the Release Notes and the  What’s New in 11.9.5 presentation.

Dimension 1.3 Update 2

Application Control information was not correctly logged from proxy policies in version 11.9.4. Along with the new Fireware release, we have also released Dimension 1.3 Update 2, which is also required to correct this issue.

Does This Release Pertain to Me?

The Fireware release applies to all Firebox and XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W appliances.

Software Download Center

Firebox and XTM appliance owners with active LiveSecurity can obtain this update without additional charge by downloading the applicable packages from the new and improved WatchGuard Software Download Center. Please read the Release Notes before you upgrade to understand what’s involved. Known Issues are now listed in the Knowledge Base when logged in at the WatchGuard website. Note that there is also a Beta version of 11.10 available to try out at the software download center.

Contact Information

For Sales or Support questions, you can find phone numbers for your region online. If you contact WatchGuard Technical Support, please have your registered appliance Serial Number or Partner ID available.

Don’t have an active LiveSecurity subscription for your appliance? It’s easy to renew. Contact your WatchGuard reseller today. Find a Partner.

— Brendan Patterson 

Should WatchGuard Customer’s FREAK Out About SSL?

Last Tuesday, my Daily Security Byte video covered a new vulnerability that affected certain implementations of SSL; specifically ones that still use RSA’s export cipher suite (RSA_EXPORT).

Back in the day (1992 – 2000), the United States of America restricted the export of strong encryption to certain countries for political reasons. That meant encryption products, such as OpenSSL, had to ship with weaker “export” cipher suites, which were presumably easier for the US government to crack. With modern increases in processing power and the discovery of new cryptographic flaws, this export cipher suite is especially weak today, and easily cracked

This week, a French research team disclosed that many SSL implementations still ship with this weak RSA_EXPORT cipher suite. They warned that man-in-the-middle attackers can force vulnerable SSL clients and server into using this cipher, making it much easier for attackers to crack your encryption and read your decrypted SSL communications. At the original release time, the researcher stated this issue primarily affected Apple iOS and OS X, Google Android, and products that used older versions of OpenSSL. However, later in the week Microsoft warned that Windows was also vulnerability to this SSL flaw (I covered that in today’s video).

Though this flaw sounds bad, it only poses a medium to low risk. In order to exploit it, an attacker needs to be able to intercept your network traffic. While this might be relatively easy to do on public wireless networks, its more difficult to pull off on wired networks. Nonetheless, you still want to fix the flaw as soon as you can. If you use OpenSSL, make sure you’re running the latest versions (which don’t ship with the bad cipher). Apple, Google, and Microsoft all plan on releasing updates soon, but in some cases you can disable the vulnerable cipher suite in your SSL implementation. For instance, Microsoft describes how to use Group Policy to disable this cipher suite in the Workaround section of their advisory.

What about my WatchGuard products?

You may be wondering if your WatchGuard products are affected. The good news is most of our products are not vulnerable to this issue, with the exception on our SSL VPN appliances. Here’s the run down:

  • XTM appliances: Not Vulnerable (even E-Series products are not affected)
  • XCS appliances: Not Vulnerable
  • Wireless Access Points: Not Vulnerable
  • WatchGuard Dimension: Not Vulnerable
  • SSL VPN Appliances: Vulnerable

We will release an update for SSL VPN appliances in the future, and I’ll update this post when we do. In the meantime, the only way you expose this flaw is through its administrative user interface (UI). If you don’t expose the admin UI externally, Internet-based attackers cannot exploit this flaw against you. — Corey Nachreiner, CISSP (@SecAdept)

 

Don’t Be ‘fraid of No GHOST; Glibc Vulnerability

GHOST VulnerabilityDuring the blog downtime, observant security practitioners probably read about a serious new vulnerabilities called GHOST, which affects all Linux-based systems to some extent. I actually covered GHOST already, in one of my Daily Security Bytes, but you may have missed it during the downtime. Let me recap the issue here.

GHOST is the name Qualys gave to a newly reported security vulnerability in the very common glibc component that ships with almost all Linux-based software and hardware. If you haven’t heard of glibc, it’s the common GNU C library which contains functions that many Linux program rely on to do common task (such as looking up IP addresses). In a routine audit, Qualys researchers found that part of the gethostbyname() function suffers from a buffer overflow flaw that attackers can use to execute code on your Linux systems.

Because many different Linux application may (or may not) use this glibc function to look up IP addresses, this flaw might get exposed through almost any network service or package. Qualys specifically designed a Proof-of-Concept (PoC) exploit against the Exim email server, which attackers can exploit just by sending email, but they warn that many other Linux packages use the vulnerable function. Some potentially affected packages include:

  • apache
  • cups
  • dovecot
  • gnupg
  • isc-dhcp
  • lighttpd
  • mariadb/mysql
  • nfs-utils
  • nginx
  • nodejs
  • openldap
  • openssh
  • postfix
  • proftpd
  • pure-ftpd
  • rsyslog
  • samba
  • sendmail
  • sysklogd
  • syslog-ng
  • tcp_wrappers
  • vsftpd
  • xinetd
  • WordPress

That said, the  size of the buffer being overwritten is very limited; at only four to eight bytes. This makes it very challenging to actually exploit this flaw in many cases. So while quite a few packages may use the vulnerable function, not all of them actually pose a real-world risk.

It turns out that this particular glibc flaw was discovered and patched over two years ago. If you have glibc 2.18 or higher, you’re not affected. However, at the time it was patched the flaw was considered a bug rather than a security vulnerability, so many Linux distributions didn’t port the glibc update to their distro.

A quick way to check the glibc version on your Linux systems is to type the following command:

ldd --version

If that reports a version lower than 2.18, you need to upgrade. If you’re interested, this blog post has a lot more good information about testing for the flaw. The good news is every major Linux distribution has since updated. If you run Linux systems (especially public servers), I recommend you get your distro’s latest updates to fix this vulnerability.

Also, keep in mind that many hardware devices (often known as the Internet of Things) are actually embedded linux systems, which may need updates as well. Not to mention, some administrators may run Linux software ports on Windows and OS X systems as well. In these cases, it’s possible you might have vulnerable versions of glibc on those non-Linux systems.

Does GHOST Affect WatchGuard Products?

You may know that many WatchGuard product are Linux-based systems, and wonder how this flaw affects them. For the most part, this flaw has little to no impact to most of our products, with a few exceptions. Here are the details:

  • WatchGuard XCS appliances – Not Affected.
  • WatchGuard Wireless Access Points – Not Affected.
  • Dimension v1.3 and higher – Not Affected.
  • Dimension v1.2 and lower – Affected, but Dimension should have already auto-updated. The version of Ubuntu shipping with Dimension v1.2 does use a vulnerable glibc package. However, Dimension auto-updates, and downloads Ubuntu’s latest patches. Since Ubuntu released a patch long ago, your Dimension server should already be patched (as long as you didn’t disable auto-updates).
  • WatchGuard XTM appliances – Affected, but not likely exploitable. XTM Fireware does contain the vulnerable version of glibc. HOWEVER, you are only vulnerable to this issue if a Linux service uses the gethostbyname() funtion. For better security, and IPv6 interoperability, our engineers use the newer getaddrinfo() to resolve hostnames, which is not affected by this vulnerability. We have not found any packages using the vulnerable function, so we believe this flaw has little to no real-world impact on our XTM devices. That said, we have already patched our glibc library, and XTM owners will receive this update in the next scheduled Fireware release. If you’d like to know more about the difference between these functions, I recommend you read this post.
  • WatchGuard SSL VPN appliances – AffectedOur SSL VPN appliance does use the vulnerable library, and is affected by this flaw. We have already patched the flaw internally, and are currently scheduling a release vehicle for the update. I’ll update this post when we know a solid date.

So to summarize. If you use Linux systems, be sure to patch them as soon as you can. Most WatchGuard products aren’t really impacted by this flaw, but we recommend you install firmware updates when we release them. If you want to know more about this interesting and wide-spread issue, I’ve included a few references below. — Corey Nachreiner, CISSP (@SecAdept)

GHOST Vulnerability References:

New Releases: Fireware XTM 11.9.4 and WSM 11.9.4

Fireware OS 11.9.4 and WSM 11.9.4 are now available. This maintenance release includes many bug fixes and several new enhancements. The Release Notes list all resolved issues and new enhancements in the software.

Key Highlights:

  • New Guest Services capability enables the creation of temporary accounts for hotspot access. Ideal for hotels and retail stores to provide internet access for their visitors and customers. A new guest administrator role and user interface enable front line staff to manage and create the accounts.
  • Selective inspection or bypass of encrypted web traffic (HTTPS DPI) via domain name or web category. Administrators now have more flexibility, allowing them to bypass DPI inspection of known good sites that need to remain private, such as online banking or financial applications.
  • Diagnostic report output of Branch Office VPN configurations helps with quick troubleshooting and repair of any tunnel issues.
  • SSLv3 is disabled by default to protect against man in the middle attacks that could exploit the Poodle vulnerability (CVE-2014-3566).
  • Many bug fixes to improve the scalability and reliability of Single Sign-On.
  • Support for /31 and /32 subnets on external interfaces, which are commonly used in regions with shortages of IPv4 IP addresses.
  • WSM support for the new Firebox M400 and M500 models.

Full details of all changes including screenshots of new user interface are provided in the What’s New in 11.9.4 presentation [PPT].

Does this Release Pertain to Me?

This release applies to all Firebox and XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W appliances.

New Software Download Center!

Firebox and XTM appliance owners can obtain this update without additional charge by downloading the applicable packages from the new and improved WatchGuard Software Download Center. No login is required to download the software, but you must have active LiveSecurity on the appliance to apply the upgrade. Please read the Release Notes before you upgrade, to understand what’s involved. Known issues are now listed in the Knowledge Base when accessed through the WatchGuard Portal. You must log in to see Known Issues.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • Authorized WatchGuard Resellers: 206.521.8375
  • International End Users: +1.206.613.0456

Latest Dimension 1.3 Update Improves Performance and Security

WatchGuard Dimension™ has been gaining rapid market adoption since it was first launched in late 2013. Customers have used the network security visibility tool to monitor and to gain critical and timely insights about network security threats, bandwidth and Internet usage as well as related traffic trends. The latest release of WatchGuard Dimension, Version 1.3 Update 1, is available now.

Release Highlights
Version 1.3 Update 1 includes SSL vulnerability mitigation (in response to the recent POODLE vulnerability), critical bug fixes, and minor feature enhancements that improve the efficiency, performance, and reliability of Dimension. For more information, please see the Enhancements and Resolved Issues section in the Release Notes.

Additional details about this release, including instructions for upgrade from previous versions of Dimension, can be found in Release Notes. Please review carefully before installing and trying out the new features.

If you are interested in installing Dimension in the Amazon Cloud, please contact WatchGuard Technical Support by logging in to http://www.watchguard.com/support and opening a technical support case.

Does This Release Pertain to Me?
This release applies to all Dimension users. Before you upgrade, read the Release Notes carefully to understand what’s involved, and pay special attention to the upgrade section.

How Do I Get this Release?
WatchGuard appliance owners with LiveSecurity can download the latest version of Dimension here, or by visiting software.watchguard.com and selecting Dimension from the first drop down menu. Remember to read the Release Notes for installation instructions.

If you need support, create a support case online or call our support staff directly. When you contact Technical Support, be sure to have your registered Product Serial Number or Partner ID available.

  • Authorized WatchGuard Resellers: +1.206.521.8375

How to Neuter POODLE (New SSL Vulnerability)

Surprise, surprise… Researcher’s have found yet another OpenSSL vulnerability. They’ve named this one POODLE. Silly name, I know, but at least it stands for something—Padding Oracle On Downgraded Legacy Encryption.

Attack POODLE

In short, POODLE is a protocol level cryptography flaw in Secure Sockets Layer version 3 (SSLv3), which is one of the many encryption protocols available to SSL/TLS implementations like OpenSSL, used to encrypt network traffic. While SSL can encrypt any traffic, it’s most commonly associated with secure web communications (HTTPS). SSLv3 is one of the older encryption protocols in OpenSSL’s library, having been around for 18 years or so. Newer protocols like TLS 1.0-1.2 are much more secure, but we’ve kept SSLv3 around for legacy interoperability reasons. Since this new vulnerability allows attackers to decrypt SSLv3 traffic, it’s time we get rid of SSLv3 for good.

The POODLE flaw is fairly complex, and hard to understand without a deeper comprehension of cryptography. If you’d really like to dive into the details, I recommend you read the paper [PDF] by the Google researchers who found the flaw, or check out this detailed explanation. However, here are the basics:

  1. First, this vulnerability requires a Man-in-the-Middle (MitM) attack to succeed. An attacker can only perform it if he can intercept traffic between you and the SSL server. Performing MitM attacks can range from extremely difficult to trivial, depending on the circumstances. For instance, if you join an unsecured WiFi network, attackers on the same network can quite easily intercept your traffic, whereas intercepting Internet traffic is exceptionally more difficult, and typically requires ISP level interception (or at least DNS poisoning) to pull off.
  2. Next, this attack only works against SSLv3 encrypted traffic, so the attacker needs to somehow force you to use it. This is a much easier hurdle for attackers to overcome. The SSL/TLS protocol includes a “downgrade” feature that allows SSL clients and servers to negotiate which encryption protocol they agree on, depending on what they both support. With a MitM attack, the attacker can intercept and manipulated the negotiations to ensure your browser and the server settle on SSLv3 encryption.
  3. At this point, an attacker can take advantage of the SSLv3 flaw (which is essentially a vulnerability in how SSLv3’s CBC cipher suites use padding) to decrypt certain bytes of your secured traffic. Again, see the paper if you are interested in the technical and mathematical detail. However, there are some caveats here. Basically, the educated guesses used in this attack will only work 1 in 256 times.  So this attack requires the same data be sent over newly created SSLv3 connection hundreds of times. Forcing hundreds of requests is easy when targeting web browsers, since the MitM attack allows the attacker to inject malicious javascript into your web session. This javascript allows the attacker to silently force your browser to do what he needs. However, there are many other clients that use SSL/TLS to encrypt communications, including VPN clients, and apps on your mobile device. Since this attack relies on malicious javascript, attackers can’t easily exploit it against non-browser SSL clients. In any case, once this attack succeeds in decrypting one byte, it’s trivial for the attacker to decrypt the rest of your secure message.
  4.  So what can attackers do by decrypting SSL encrypted web sessions? Most likely, they’d leverage this flaw to try to intercept your encrypted HTTP session cookie. This essentially allows them to hijack your secure web sessions, and do anything you could do on the particular secure site you’re visiting. They wouldn’t obtain your passwords, but they’d have access to your secure web account.

While this sounds pretty bad, and it can be when the attack succeeds, the mitigating factors mentioned above really lessen the severity of this flaw. MitM attacks are not trivial to pull off in most cases, and this exploit’s javascript requirement means it can only easily target web browsers, not other SSL-based clients. Furthermore, if either end (client or server) disables SSLv3, the attack is dead in the water. In fact, NIST only assigns this vulnerability (CVE-2014-3566) a CVSS severity rating of 4.3, which is on the lower medium range of their severity scale. Though many of the media outlet reporting on this flaw have made it sound extremely dangerous, I would only give it a medium severity. It’s definitely something you want to mitigate, but it is not nearly as dangerous as the Heartbleed and Shellshock flaws the media has compared it to.

How to Protect Yourself from POODLE:

Simply put, disable SSLv3!

SSLv3 is an antiquated and broken encryption protocol. Every modern browser and SSL client supports much more recent encryption options. Disabling SSLv3 is the only way to completely protect yourself.

That said, some organizations may still use some legacy web applications, especially ones that require Internet Explorer (IE) 6 running on XP, which depend on SSLv3. Frankly, it’s time you get rid of those applications. In order to quantify today’s minimal SSLv3 usage, CloudFlare monitored all their customers’ traffic and found only 0.09% of it was SSLv3. When monitoring only secure web (HTTPS) traffic, SSLv3 usage jumped to 0.65%, but that’s still a tiny fraction of web traffic. We recommend you help bring this number to zero by getting rid of SSLv3 in your organization

So how do you disable SSLv3? There are two sides to the equation—the server and the client. You only have to disable one side for the attack to fail.

Since this attack targets clients, and seems to primarily affect web browsers, I recommend you disable SSLv3 in your browsers first. All popular web browsers have configuration settings that allow you to do so. The folks at Zmap.io have kindly provided an instruction page detailing how to disable SSLv3 in the popular browsers; check it out. Furthermore, most browser vendors have promised to disable SSLv3 by default in their next software release. Once you have disabled SSLv3 in your browser, attackers cannot leverage this flaw to decrypt your traffic, even if you connect to a web server that still has SSLv3 enabled.

That said, you also should disable SSLv3 on any servers you run, just to help protect the rest of the world against this flaw. The creators of OpenSSL have released an update that fixes this vulnerability (and three others). Besides allowing you to disable SSLv3 on your server, the latest version of OpenSSL supports a feature called TLS_FALLBACK_SCSC, which essentially prevents MitM attackers from forcing clients to downgrade to a certain encryption protocol. Many other Linux distributions and SSL implementations have also released updates. Go get them.

As an aside, once you’ve disabled SSLv3 in your browsers and servers, you can check the results using the following sites:

Are WatchGuard Products Affected by POODLE?

In short, yes.

WatchGuard appliances use OpenSSL and are affected by this vulnerability to varying degrees. The impacted products include:

  • XTM appliances – WatchGuard’s web-based user interfaces (UI), whether the administrative interface or the VPN client portal, do support SSLv3, and are vulnerable to this. However, you can mitigate this flaw by limiting exposure to the Web UI. There is no reason to allow Internet users to access that administrative interface. Also, our SSL VPN clients do NOT support SSLv3. So mobile VPN connections are not affected. We are making updates to our XTM firmware to disable SSLv3 by default.
  • XCS appliances – The XCS’s Web UI does support SSLv3 by default. However, you can disable it for the Web UI, and should do so. Our mail engine does also support SSLv3, and you can’t currently disabled it in the mail engine. That said, this exploit primarily targets web browsers, so the exposure in the mail engine should be low. In any case, we are making changes to the XCS firmware to disable SSLv3.
  • SSL VPN appliances – The SSL VPN appliances administrative Web UI uses SSLv3, and your currently can’t disable it. However, you can limit exposure simply by not allowing external access to the Web UI. As far as client VPN connections, you can disable SSLv3 in the Manage System => Device Setting page. Doing so ensures attackers can’t exploit this flaw to intercept and decrypt mobile SSL VPN traffic. We will release and update to disable SSLv3 in the Web UI.

This vulnerability’s impact to our appliances is relatively low. Nonetheless, WatchGuard will release updated versions for all affected software and devices that are under support. We are currently planning all these releases, and we will update this post as the dates and releases become available. In any case, if you limit access to the web-based administration interfaces on your WatchGuard appliances, the vulnerability poses you little risk. Furthermore, if you disable SSLv3 in your browser, attackers can’t even leverage it against you, whether or not the appliance uses SSLv3.

To summarize, POODLE is a big enough issue that you should definitely disable SSLv3 in all your browsers and servers as soon as you can. However, despite the wide and alarming coverage of this issue, it does not pose a huge, real-world risk to most users. If you update your browsers, and avoid unsecured WiFi connections, POODLE will likely not bite, and is easy to neuter. — Corey Nachreiner, CISSP (@SecAdept)

 

How to Neuter POODLE (New SSL Vulnerability)

Surprise, surprise… Researcher’s have found yet another OpenSSL vulnerability. They’ve named this one POODLE. Silly name, I know, but at least it stands for something—Padding Oracle On Downgraded Legacy Encryption.

Attack POODLE

In short, POODLE is a protocol level cryptography flaw in Secure Sockets Layer version 3 (SSLv3), which is one of the many encryption protocols available to SSL/TLS implementations like OpenSSL, used to encrypt network traffic. While SSL can encrypt any traffic, it’s most commonly associated with secure web communications (HTTPS). SSLv3 is one of the older encryption protocols in OpenSSL’s library, having been around for 18 years or so. Newer protocols like TLS 1.0-1.2 are much more secure, but we’ve kept SSLv3 around for legacy interoperability reasons. Since this new vulnerability allows attackers to decrypt SSLv3 traffic, it’s time we get rid of SSLv3 for good.

The POODLE flaw is fairly complex, and hard to understand without a deeper comprehension of cryptography. If you’d really like to dive into the details, I recommend you read the paper [PDF] by the Google researchers who found the flaw, or check out this detailed explanation. However, here are the basics:

  1. First, this vulnerability requires a Man-in-the-Middle (MitM) attack to succeed. An attacker can only perform it if he can intercept traffic between you and the SSL server. Performing MitM attacks can range from extremely difficult to trivial, depending on the circumstances. For instance, if you join an unsecured WiFi network, attackers on the same network can quite easily intercept your traffic, whereas intercepting Internet traffic is exceptionally more difficult, and typically requires ISP level interception (or at least DNS poisoning) to pull off.
  2. Next, this attack only works against SSLv3 encrypted traffic, so the attacker needs to somehow force you to use it. This is a much easier hurdle for attackers to overcome. The SSL/TLS protocol includes a “downgrade” feature that allows SSL clients and servers to negotiate which encryption protocol they agree on, depending on what they both support. With a MitM attack, the attacker can intercept and manipulated the negotiations to ensure your browser and the server settle on SSLv3 encryption.
  3. At this point, an attacker can take advantage of the SSLv3 flaw (which is essentially a vulnerability in how SSLv3’s CBC cipher suites use padding) to decrypt certain bytes of your secured traffic. Again, see the paper if you are interested in the technical and mathematical detail. However, there are some caveats here. Basically, the educated guesses used in this attack will only work 1 in 256 times.  So this attack requires the same data be sent over newly created SSLv3 connection hundreds of times. Forcing hundreds of requests is easy when targeting web browsers, since the MitM attack allows the attacker to inject malicious javascript into your web session. This javascript allows the attacker to silently force your browser to do what he needs. However, there are many other clients that use SSL/TLS to encrypt communications, including VPN clients, and apps on your mobile device. Since this attack relies on malicious javascript, attackers can’t easily exploit it against non-browser SSL clients. In any case, once this attack succeeds in decrypting one byte, it’s trivial for the attacker to decrypt the rest of your secure message.
  4.  So what can attackers do by decrypting SSL encrypted web sessions? Most likely, they’d leverage this flaw to try to intercept your encrypted HTTP session cookie. This essentially allows them to hijack your secure web sessions, and do anything you could do on the particular secure site you’re visiting. They wouldn’t obtain your passwords, but they’d have access to your secure web account.

While this sounds pretty bad, and it can be when the attack succeeds, the mitigating factors mentioned above really lessen the severity of this flaw. MitM attacks are not trivial to pull off in most cases, and this exploit’s javascript requirement means it can only easily target web browsers, not other SSL-based clients. Furthermore, if either end (client or server) disables SSLv3, the attack is dead in the water. In fact, NIST only assigns this vulnerability (CVE-2014-3566) a CVSS severity rating of 4.3, which is on the lower medium range of their severity scale. Though many of the media outlet reporting on this flaw have made it sound extremely dangerous, I would only give it a medium severity. It’s definitely something you want to mitigate, but it is not nearly as dangerous as the Heartbleed and Shellshock flaws the media has compared it to.

How to Protect Yourself from POODLE:

Simply put, disable SSLv3!

SSLv3 is an antiquated and broken encryption protocol. Every modern browser and SSL client supports much more recent encryption options. Disabling SSLv3 is the only way to completely protect yourself.

That said, some organizations may still use some legacy web applications, especially ones that require Internet Explorer (IE) 6 running on XP, which depend on SSLv3. Frankly, it’s time you get rid of those applications. In order to quantify today’s minimal SSLv3 usage, CloudFlare monitored all their customers’ traffic and found only 0.09% of it was SSLv3. When monitoring only secure web (HTTPS) traffic, SSLv3 usage jumped to 0.65%, but that’s still a tiny fraction of web traffic. We recommend you help bring this number to zero by getting rid of SSLv3 in your organization

So how do you disable SSLv3? There are two sides to the equation—the server and the client. You only have to disable one side for the attack to fail.

Since this attack targets clients, and seems to primarily affect web browsers, I recommend you disable SSLv3 in your browsers first. All popular web browsers have configuration settings that allow you to do so. The folks at Zmap.io have kindly provided an instruction page detailing how to disable SSLv3 in the popular browsers; check it out. Furthermore, most browser vendors have promised to disable SSLv3 by default in their next software release. Once you have disabled SSLv3 in your browser, attackers cannot leverage this flaw to decrypt your traffic, even if you connect to a web server that still has SSLv3 enabled.

That said, you also should disable SSLv3 on any servers you run, just to help protect the rest of the world against this flaw. The creators of OpenSSL have released an update that fixes this vulnerability (and three others). Besides allowing you to disable SSLv3 on your server, the latest version of OpenSSL supports a feature called TLS_FALLBACK_SCSC, which essentially prevents MitM attackers from forcing clients to downgrade to a certain encryption protocol. Many other Linux distributions and SSL implementations have also released updates. Go get them.

As an aside, once you’ve disabled SSLv3 in your browsers and servers, you can check the results using the following sites:

Are WatchGuard Products Affected by POODLE?

In short, yes.

WatchGuard appliances use OpenSSL and are affected by this vulnerability to varying degrees. The impacted products include:

  • XTM appliances – WatchGuard’s web-based user interfaces (UI), whether the administrative interface or the VPN client portal, do support SSLv3, and are vulnerable to this. However, you can mitigate this flaw by limiting exposure to the Web UI. There is no reason to allow Internet users to access that administrative interface. Also, our SSL VPN clients do NOT support SSLv3. So mobile VPN connections are not affected. We are making updates to our XTM firmware to disable SSLv3 by default.
  • XCS appliances – The XCS’s Web UI does support SSLv3 by default. However, you can disable it for the Web UI, and should do so. Our mail engine does also support SSLv3, and you can’t currently disabled it in the mail engine. That said, this exploit primarily targets web browsers, so the exposure in the mail engine should be low. In any case, we are making changes to the XCS firmware to disable SSLv3.
  • SSL VPN appliances – The SSL VPN appliances administrative Web UI uses SSLv3, and your currently can’t disable it. However, you can limit exposure simply by not allowing external access to the Web UI. As far as client VPN connections, you can disable SSLv3 in the Manage System => Device Setting page. Doing so ensures attackers can’t exploit this flaw to intercept and decrypt mobile SSL VPN traffic. We will release and update to disable SSLv3 in the Web UI.

This vulnerability’s impact to our appliances is relatively low. Nonetheless, WatchGuard will release updated versions for all affected software and devices that are under support. We are currently planning all these releases, and we will update this post as the dates and releases become available. In any case, if you limit access to the web-based administration interfaces on your WatchGuard appliances, the vulnerability poses you little risk. Furthermore, if you disable SSLv3 in your browser, attackers can’t even leverage it against you, whether or not the appliance uses SSLv3.

To summarize, POODLE is a big enough issue that you should definitely disable SSLv3 in all your browsers and servers as soon as you can. However, despite the wide and alarming coverage of this issue, it does not pose a huge, real-world risk to most users. If you update your browsers, and avoid unsecured WiFi connections, POODLE will likely not bite, and is easy to neuter. — Corey Nachreiner, CISSP (@SecAdept)

 

WatchGuard Releases Appliance Updates to Fix OpenSSL Flaws

WatchGuard has released several important updates to software for all product lines over the past couple of weeks to address reported vulnerabilities. Last month the OpenSSL team released an update for their popular SSL/TLS package, which fixes six security vulnerabilities in their product, including a relatively serious Man-in-the-Middle (MitM) flaw. More details about these vulnerabilities and their impact are available at the WatchGuard Security Center. If you are not already signed up, we recommend that you subscribe to the blog to get regular updates about security vulnerabilities, WatchGuard products, and general security news.

Here are the releases that have been posted to patch the vulnerable version of OpenSSL.  As always, maintenance releases also include many significant bug fixes. Full details are listed in the Release Notes for each release.

  • 11.3.8 for e-Series devices
  • 11.6.8 for XTM 21,22,and 23 devices
  • 11.7.5 for XTM devices
  • 11.8.4 for XTM and Firebox T10 devices, which is also localized into all of the WatchGuard supported languages.
  • 11.9.1 for XTM and Firebox T10 devices
  • Hotfixes for version 9.2 and 10.0 for XCS appliances
  • SSL 3.2 Update 2 for SSL 100 and 560 appliances.

Other highlights in the new Fireware 11.9.1 release include:

  • Support for default gateway on different subnet
  • Several improved warning and informational messages throughout the product

More information including screenshots are available in the What’s New presentation.

Do These Releases Pertain to Me?

The OpenSSL patch is available for all e-Series, XTM appliances, and Firebox T10. Please choose the version that is relevant for your environment and devices. Upgrade to 11.9.1 to get the latest enhancements to the product.

How Do I Get the Release?

e-Series, XTM, and Firebox appliances owners who have a current LiveSecurity Service subscription can obtain updates without additional charge by downloading the applicable packages from the Articles & Software section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article” and “Known Issue” search options, and press the Go button. Select the appropriate downloads for your devices. Please read the Release Notes before you upgrade, to understand what’s involved.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

Don’t have an active LiveSecurity subscription for your XTM appliance? It’s easy to renew. Contact your WatchGuard reseller today. Find a reseller ?

Follow

Get every new post delivered to your Inbox.

Join 8,027 other followers

%d bloggers like this: