Archive | WatchGuard Software RSS feed for this section

New Releases: Fireware XTM 11.9.4 and WSM 11.9.4

Fireware OS 11.9.4 and WSM 11.9.4 are now available. This maintenance release includes many bug fixes and several new enhancements. The Release Notes list all resolved issues and new enhancements in the software.

Key Highlights:

  • New Guest Services capability enables the creation of temporary accounts for hotspot access. Ideal for hotels and retail stores to provide internet access for their visitors and customers. A new guest administrator role and user interface enable front line staff to manage and create the accounts.
  • Selective inspection or bypass of encrypted web traffic (HTTPS DPI) via domain name or web category. Administrators now have more flexibility, allowing them to bypass DPI inspection of known good sites that need to remain private, such as online banking or financial applications.
  • Diagnostic report output of Branch Office VPN configurations helps with quick troubleshooting and repair of any tunnel issues.
  • SSLv3 is disabled by default to protect against man in the middle attacks that could exploit the Poodle vulnerability (CVE-2014-3566).
  • Many bug fixes to improve the scalability and reliability of Single Sign-On.
  • Support for /31 and /32 subnets on external interfaces, which are commonly used in regions with shortages of IPv4 IP addresses.
  • WSM support for the new Firebox M400 and M500 models.

Full details of all changes including screenshots of new user interface are provided in the What’s New in 11.9.4 presentation [PPT].

Does this Release Pertain to Me?

This release applies to all Firebox and XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W appliances.

New Software Download Center!

Firebox and XTM appliance owners can obtain this update without additional charge by downloading the applicable packages from the new and improved WatchGuard Software Download Center. No login is required to download the software, but you must have active LiveSecurity on the appliance to apply the upgrade. Please read the Release Notes before you upgrade, to understand what’s involved. Known issues are now listed in the Knowledge Base when accessed through the WatchGuard Portal. You must log in to see Known Issues.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • Authorized WatchGuard Resellers: 206.521.8375
  • International End Users: +1.206.613.0456

Latest Dimension 1.3 Update Improves Performance and Security

WatchGuard Dimension™ has been gaining rapid market adoption since it was first launched in late 2013. Customers have used the network security visibility tool to monitor and to gain critical and timely insights about network security threats, bandwidth and Internet usage as well as related traffic trends. The latest release of WatchGuard Dimension, Version 1.3 Update 1, is available now.

Release Highlights
Version 1.3 Update 1 includes SSL vulnerability mitigation (in response to the recent POODLE vulnerability), critical bug fixes, and minor feature enhancements that improve the efficiency, performance, and reliability of Dimension. For more information, please see the Enhancements and Resolved Issues section in the Release Notes.

Additional details about this release, including instructions for upgrade from previous versions of Dimension, can be found in Release Notes. Please review carefully before installing and trying out the new features.

If you are interested in installing Dimension in the Amazon Cloud, please contact WatchGuard Technical Support by logging in to http://www.watchguard.com/support and opening a technical support case.

Does This Release Pertain to Me?
This release applies to all Dimension users. Before you upgrade, read the Release Notes carefully to understand what’s involved, and pay special attention to the upgrade section.

How Do I Get this Release?
WatchGuard appliance owners with LiveSecurity can download the latest version of Dimension here, or by visiting software.watchguard.com and selecting Dimension from the first drop down menu. Remember to read the Release Notes for installation instructions.

If you need support, create a support case online or call our support staff directly. When you contact Technical Support, be sure to have your registered Product Serial Number or Partner ID available.

  • Authorized WatchGuard Resellers: +1.206.521.8375

How to Neuter POODLE (New SSL Vulnerability)

Surprise, surprise… Researcher’s have found yet another OpenSSL vulnerability. They’ve named this one POODLE. Silly name, I know, but at least it stands for something—Padding Oracle On Downgraded Legacy Encryption.

Attack POODLE

In short, POODLE is a protocol level cryptography flaw in Secure Sockets Layer version 3 (SSLv3), which is one of the many encryption protocols available to SSL/TLS implementations like OpenSSL, used to encrypt network traffic. While SSL can encrypt any traffic, it’s most commonly associated with secure web communications (HTTPS). SSLv3 is one of the older encryption protocols in OpenSSL’s library, having been around for 18 years or so. Newer protocols like TLS 1.0-1.2 are much more secure, but we’ve kept SSLv3 around for legacy interoperability reasons. Since this new vulnerability allows attackers to decrypt SSLv3 traffic, it’s time we get rid of SSLv3 for good.

The POODLE flaw is fairly complex, and hard to understand without a deeper comprehension of cryptography. If you’d really like to dive into the details, I recommend you read the paper [PDF] by the Google researchers who found the flaw, or check out this detailed explanation. However, here are the basics:

  1. First, this vulnerability requires a Man-in-the-Middle (MitM) attack to succeed. An attacker can only perform it if he can intercept traffic between you and the SSL server. Performing MitM attacks can range from extremely difficult to trivial, depending on the circumstances. For instance, if you join an unsecured WiFi network, attackers on the same network can quite easily intercept your traffic, whereas intercepting Internet traffic is exceptionally more difficult, and typically requires ISP level interception (or at least DNS poisoning) to pull off.
  2. Next, this attack only works against SSLv3 encrypted traffic, so the attacker needs to somehow force you to use it. This is a much easier hurdle for attackers to overcome. The SSL/TLS protocol includes a “downgrade” feature that allows SSL clients and servers to negotiate which encryption protocol they agree on, depending on what they both support. With a MitM attack, the attacker can intercept and manipulated the negotiations to ensure your browser and the server settle on SSLv3 encryption.
  3. At this point, an attacker can take advantage of the SSLv3 flaw (which is essentially a vulnerability in how SSLv3’s CBC cipher suites use padding) to decrypt certain bytes of your secured traffic. Again, see the paper if you are interested in the technical and mathematical detail. However, there are some caveats here. Basically, the educated guesses used in this attack will only work 1 in 256 times.  So this attack requires the same data be sent over newly created SSLv3 connection hundreds of times. Forcing hundreds of requests is easy when targeting web browsers, since the MitM attack allows the attacker to inject malicious javascript into your web session. This javascript allows the attacker to silently force your browser to do what he needs. However, there are many other clients that use SSL/TLS to encrypt communications, including VPN clients, and apps on your mobile device. Since this attack relies on malicious javascript, attackers can’t easily exploit it against non-browser SSL clients. In any case, once this attack succeeds in decrypting one byte, it’s trivial for the attacker to decrypt the rest of your secure message.
  4.  So what can attackers do by decrypting SSL encrypted web sessions? Most likely, they’d leverage this flaw to try to intercept your encrypted HTTP session cookie. This essentially allows them to hijack your secure web sessions, and do anything you could do on the particular secure site you’re visiting. They wouldn’t obtain your passwords, but they’d have access to your secure web account.

While this sounds pretty bad, and it can be when the attack succeeds, the mitigating factors mentioned above really lessen the severity of this flaw. MitM attacks are not trivial to pull off in most cases, and this exploit’s javascript requirement means it can only easily target web browsers, not other SSL-based clients. Furthermore, if either end (client or server) disables SSLv3, the attack is dead in the water. In fact, NIST only assigns this vulnerability (CVE-2014-3566) a CVSS severity rating of 4.3, which is on the lower medium range of their severity scale. Though many of the media outlet reporting on this flaw have made it sound extremely dangerous, I would only give it a medium severity. It’s definitely something you want to mitigate, but it is not nearly as dangerous as the Heartbleed and Shellshock flaws the media has compared it to.

How to Protect Yourself from POODLE:

Simply put, disable SSLv3!

SSLv3 is an antiquated and broken encryption protocol. Every modern browser and SSL client supports much more recent encryption options. Disabling SSLv3 is the only way to completely protect yourself.

That said, some organizations may still use some legacy web applications, especially ones that require Internet Explorer (IE) 6 running on XP, which depend on SSLv3. Frankly, it’s time you get rid of those applications. In order to quantify today’s minimal SSLv3 usage, CloudFlare monitored all their customers’ traffic and found only 0.09% of it was SSLv3. When monitoring only secure web (HTTPS) traffic, SSLv3 usage jumped to 0.65%, but that’s still a tiny fraction of web traffic. We recommend you help bring this number to zero by getting rid of SSLv3 in your organization

So how do you disable SSLv3? There are two sides to the equation—the server and the client. You only have to disable one side for the attack to fail.

Since this attack targets clients, and seems to primarily affect web browsers, I recommend you disable SSLv3 in your browsers first. All popular web browsers have configuration settings that allow you to do so. The folks at Zmap.io have kindly provided an instruction page detailing how to disable SSLv3 in the popular browsers; check it out. Furthermore, most browser vendors have promised to disable SSLv3 by default in their next software release. Once you have disabled SSLv3 in your browser, attackers cannot leverage this flaw to decrypt your traffic, even if you connect to a web server that still has SSLv3 enabled.

That said, you also should disable SSLv3 on any servers you run, just to help protect the rest of the world against this flaw. The creators of OpenSSL have released an update that fixes this vulnerability (and three others). Besides allowing you to disable SSLv3 on your server, the latest version of OpenSSL supports a feature called TLS_FALLBACK_SCSC, which essentially prevents MitM attackers from forcing clients to downgrade to a certain encryption protocol. Many other Linux distributions and SSL implementations have also released updates. Go get them.

As an aside, once you’ve disabled SSLv3 in your browsers and servers, you can check the results using the following sites:

Are WatchGuard Products Affected by POODLE?

In short, yes.

WatchGuard appliances use OpenSSL and are affected by this vulnerability to varying degrees. The impacted products include:

  • XTM appliances – WatchGuard’s web-based user interfaces (UI), whether the administrative interface or the VPN client portal, do support SSLv3, and are vulnerable to this. However, you can mitigate this flaw by limiting exposure to the Web UI. There is no reason to allow Internet users to access that administrative interface. Also, our SSL VPN clients do NOT support SSLv3. So mobile VPN connections are not affected. We are making updates to our XTM firmware to disable SSLv3 by default.
  • XCS appliances – The XCS’s Web UI does support SSLv3 by default. However, you can disable it for the Web UI, and should do so. Our mail engine does also support SSLv3, and you can’t currently disabled it in the mail engine. That said, this exploit primarily targets web browsers, so the exposure in the mail engine should be low. In any case, we are making changes to the XCS firmware to disable SSLv3.
  • SSL VPN appliances – The SSL VPN appliances administrative Web UI uses SSLv3, and your currently can’t disable it. However, you can limit exposure simply by not allowing external access to the Web UI. As far as client VPN connections, you can disable SSLv3 in the Manage System => Device Setting page. Doing so ensures attackers can’t exploit this flaw to intercept and decrypt mobile SSL VPN traffic. We will release and update to disable SSLv3 in the Web UI.

This vulnerability’s impact to our appliances is relatively low. Nonetheless, WatchGuard will release updated versions for all affected software and devices that are under support. We are currently planning all these releases, and we will update this post as the dates and releases become available. In any case, if you limit access to the web-based administration interfaces on your WatchGuard appliances, the vulnerability poses you little risk. Furthermore, if you disable SSLv3 in your browser, attackers can’t even leverage it against you, whether or not the appliance uses SSLv3.

To summarize, POODLE is a big enough issue that you should definitely disable SSLv3 in all your browsers and servers as soon as you can. However, despite the wide and alarming coverage of this issue, it does not pose a huge, real-world risk to most users. If you update your browsers, and avoid unsecured WiFi connections, POODLE will likely not bite, and is easy to neuter. — Corey Nachreiner, CISSP (@SecAdept)

 

How to Neuter POODLE (New SSL Vulnerability)

Surprise, surprise… Researcher’s have found yet another OpenSSL vulnerability. They’ve named this one POODLE. Silly name, I know, but at least it stands for something—Padding Oracle On Downgraded Legacy Encryption.

Attack POODLE

In short, POODLE is a protocol level cryptography flaw in Secure Sockets Layer version 3 (SSLv3), which is one of the many encryption protocols available to SSL/TLS implementations like OpenSSL, used to encrypt network traffic. While SSL can encrypt any traffic, it’s most commonly associated with secure web communications (HTTPS). SSLv3 is one of the older encryption protocols in OpenSSL’s library, having been around for 18 years or so. Newer protocols like TLS 1.0-1.2 are much more secure, but we’ve kept SSLv3 around for legacy interoperability reasons. Since this new vulnerability allows attackers to decrypt SSLv3 traffic, it’s time we get rid of SSLv3 for good.

The POODLE flaw is fairly complex, and hard to understand without a deeper comprehension of cryptography. If you’d really like to dive into the details, I recommend you read the paper [PDF] by the Google researchers who found the flaw, or check out this detailed explanation. However, here are the basics:

  1. First, this vulnerability requires a Man-in-the-Middle (MitM) attack to succeed. An attacker can only perform it if he can intercept traffic between you and the SSL server. Performing MitM attacks can range from extremely difficult to trivial, depending on the circumstances. For instance, if you join an unsecured WiFi network, attackers on the same network can quite easily intercept your traffic, whereas intercepting Internet traffic is exceptionally more difficult, and typically requires ISP level interception (or at least DNS poisoning) to pull off.
  2. Next, this attack only works against SSLv3 encrypted traffic, so the attacker needs to somehow force you to use it. This is a much easier hurdle for attackers to overcome. The SSL/TLS protocol includes a “downgrade” feature that allows SSL clients and servers to negotiate which encryption protocol they agree on, depending on what they both support. With a MitM attack, the attacker can intercept and manipulated the negotiations to ensure your browser and the server settle on SSLv3 encryption.
  3. At this point, an attacker can take advantage of the SSLv3 flaw (which is essentially a vulnerability in how SSLv3’s CBC cipher suites use padding) to decrypt certain bytes of your secured traffic. Again, see the paper if you are interested in the technical and mathematical detail. However, there are some caveats here. Basically, the educated guesses used in this attack will only work 1 in 256 times.  So this attack requires the same data be sent over newly created SSLv3 connection hundreds of times. Forcing hundreds of requests is easy when targeting web browsers, since the MitM attack allows the attacker to inject malicious javascript into your web session. This javascript allows the attacker to silently force your browser to do what he needs. However, there are many other clients that use SSL/TLS to encrypt communications, including VPN clients, and apps on your mobile device. Since this attack relies on malicious javascript, attackers can’t easily exploit it against non-browser SSL clients. In any case, once this attack succeeds in decrypting one byte, it’s trivial for the attacker to decrypt the rest of your secure message.
  4.  So what can attackers do by decrypting SSL encrypted web sessions? Most likely, they’d leverage this flaw to try to intercept your encrypted HTTP session cookie. This essentially allows them to hijack your secure web sessions, and do anything you could do on the particular secure site you’re visiting. They wouldn’t obtain your passwords, but they’d have access to your secure web account.

While this sounds pretty bad, and it can be when the attack succeeds, the mitigating factors mentioned above really lessen the severity of this flaw. MitM attacks are not trivial to pull off in most cases, and this exploit’s javascript requirement means it can only easily target web browsers, not other SSL-based clients. Furthermore, if either end (client or server) disables SSLv3, the attack is dead in the water. In fact, NIST only assigns this vulnerability (CVE-2014-3566) a CVSS severity rating of 4.3, which is on the lower medium range of their severity scale. Though many of the media outlet reporting on this flaw have made it sound extremely dangerous, I would only give it a medium severity. It’s definitely something you want to mitigate, but it is not nearly as dangerous as the Heartbleed and Shellshock flaws the media has compared it to.

How to Protect Yourself from POODLE:

Simply put, disable SSLv3!

SSLv3 is an antiquated and broken encryption protocol. Every modern browser and SSL client supports much more recent encryption options. Disabling SSLv3 is the only way to completely protect yourself.

That said, some organizations may still use some legacy web applications, especially ones that require Internet Explorer (IE) 6 running on XP, which depend on SSLv3. Frankly, it’s time you get rid of those applications. In order to quantify today’s minimal SSLv3 usage, CloudFlare monitored all their customers’ traffic and found only 0.09% of it was SSLv3. When monitoring only secure web (HTTPS) traffic, SSLv3 usage jumped to 0.65%, but that’s still a tiny fraction of web traffic. We recommend you help bring this number to zero by getting rid of SSLv3 in your organization

So how do you disable SSLv3? There are two sides to the equation—the server and the client. You only have to disable one side for the attack to fail.

Since this attack targets clients, and seems to primarily affect web browsers, I recommend you disable SSLv3 in your browsers first. All popular web browsers have configuration settings that allow you to do so. The folks at Zmap.io have kindly provided an instruction page detailing how to disable SSLv3 in the popular browsers; check it out. Furthermore, most browser vendors have promised to disable SSLv3 by default in their next software release. Once you have disabled SSLv3 in your browser, attackers cannot leverage this flaw to decrypt your traffic, even if you connect to a web server that still has SSLv3 enabled.

That said, you also should disable SSLv3 on any servers you run, just to help protect the rest of the world against this flaw. The creators of OpenSSL have released an update that fixes this vulnerability (and three others). Besides allowing you to disable SSLv3 on your server, the latest version of OpenSSL supports a feature called TLS_FALLBACK_SCSC, which essentially prevents MitM attackers from forcing clients to downgrade to a certain encryption protocol. Many other Linux distributions and SSL implementations have also released updates. Go get them.

As an aside, once you’ve disabled SSLv3 in your browsers and servers, you can check the results using the following sites:

Are WatchGuard Products Affected by POODLE?

In short, yes.

WatchGuard appliances use OpenSSL and are affected by this vulnerability to varying degrees. The impacted products include:

  • XTM appliances – WatchGuard’s web-based user interfaces (UI), whether the administrative interface or the VPN client portal, do support SSLv3, and are vulnerable to this. However, you can mitigate this flaw by limiting exposure to the Web UI. There is no reason to allow Internet users to access that administrative interface. Also, our SSL VPN clients do NOT support SSLv3. So mobile VPN connections are not affected. We are making updates to our XTM firmware to disable SSLv3 by default.
  • XCS appliances – The XCS’s Web UI does support SSLv3 by default. However, you can disable it for the Web UI, and should do so. Our mail engine does also support SSLv3, and you can’t currently disabled it in the mail engine. That said, this exploit primarily targets web browsers, so the exposure in the mail engine should be low. In any case, we are making changes to the XCS firmware to disable SSLv3.
  • SSL VPN appliances – The SSL VPN appliances administrative Web UI uses SSLv3, and your currently can’t disable it. However, you can limit exposure simply by not allowing external access to the Web UI. As far as client VPN connections, you can disable SSLv3 in the Manage System => Device Setting page. Doing so ensures attackers can’t exploit this flaw to intercept and decrypt mobile SSL VPN traffic. We will release and update to disable SSLv3 in the Web UI.

This vulnerability’s impact to our appliances is relatively low. Nonetheless, WatchGuard will release updated versions for all affected software and devices that are under support. We are currently planning all these releases, and we will update this post as the dates and releases become available. In any case, if you limit access to the web-based administration interfaces on your WatchGuard appliances, the vulnerability poses you little risk. Furthermore, if you disable SSLv3 in your browser, attackers can’t even leverage it against you, whether or not the appliance uses SSLv3.

To summarize, POODLE is a big enough issue that you should definitely disable SSLv3 in all your browsers and servers as soon as you can. However, despite the wide and alarming coverage of this issue, it does not pose a huge, real-world risk to most users. If you update your browsers, and avoid unsecured WiFi connections, POODLE will likely not bite, and is easy to neuter. — Corey Nachreiner, CISSP (@SecAdept)

 

WatchGuard Releases Appliance Updates to Fix OpenSSL Flaws

WatchGuard has released several important updates to software for all product lines over the past couple of weeks to address reported vulnerabilities. Last month the OpenSSL team released an update for their popular SSL/TLS package, which fixes six security vulnerabilities in their product, including a relatively serious Man-in-the-Middle (MitM) flaw. More details about these vulnerabilities and their impact are available at the WatchGuard Security Center. If you are not already signed up, we recommend that you subscribe to the blog to get regular updates about security vulnerabilities, WatchGuard products, and general security news.

Here are the releases that have been posted to patch the vulnerable version of OpenSSL.  As always, maintenance releases also include many significant bug fixes. Full details are listed in the Release Notes for each release.

  • 11.3.8 for e-Series devices
  • 11.6.8 for XTM 21,22,and 23 devices
  • 11.7.5 for XTM devices
  • 11.8.4 for XTM and Firebox T10 devices, which is also localized into all of the WatchGuard supported languages.
  • 11.9.1 for XTM and Firebox T10 devices
  • Hotfixes for version 9.2 and 10.0 for XCS appliances
  • SSL 3.2 Update 2 for SSL 100 and 560 appliances.

Other highlights in the new Fireware 11.9.1 release include:

  • Support for default gateway on different subnet
  • Several improved warning and informational messages throughout the product

More information including screenshots are available in the What’s New presentation.

Do These Releases Pertain to Me?

The OpenSSL patch is available for all e-Series, XTM appliances, and Firebox T10. Please choose the version that is relevant for your environment and devices. Upgrade to 11.9.1 to get the latest enhancements to the product.

How Do I Get the Release?

e-Series, XTM, and Firebox appliances owners who have a current LiveSecurity Service subscription can obtain updates without additional charge by downloading the applicable packages from the Articles & Software section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article” and “Known Issue” search options, and press the Go button. Select the appropriate downloads for your devices. Please read the Release Notes before you upgrade, to understand what’s involved.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

Don’t have an active LiveSecurity subscription for your XTM appliance? It’s easy to renew. Contact your WatchGuard reseller today. Find a reseller ?

OpenSSL Patches Six Vulnerabilities, Including a MitM Flaw

OpenSSL CCS InjectionToday, the OpenSSL team released a critical update for their popular SSL/TLS package, which fixes six security vulnerabilities in their product, including a relatively serious Man-in-the-Middle (MitM) flaw. If you use OpenSSL, you should read up on these issues and update OpenSSL immediately. WatchGuard products, like many others that use OpenSSL, are affected by these issues to different extents. Our engineers are diligently working to release patches for these flaws as soon as possible.

OpenSSL is a very popular implementation of the SSL/TLS cryptography protocols, used to encrypt many network communications, including secure web communications. This week, the OpenSSL team released an update that fixes six vulnerabilities, including some publicly reported ones. Combined, the flaws affect all current versions of OpenSSL to some extent.

The flaws differ technically, and in scope and impact. For instance, one is a buffer overflow flaw that could allow attackers to execute code, assuming you use a particular OpenSSL feature (DTLS), while another allows attackers to crash OpenSSL, resulting in a Denial of Service (DoS) situation. However, the flaw recieving the most attention is a MitM vulnerability involving OpenSSL’s ChangeCipherSpec functionality. In short, if an attacker can get between a client and server, both of which have vulnerable versions of OpenSSL, he can exploit this flaw to decrypt SSL communications.

While this sounds fairly serious, there are a number of mitigating factor that lessen the severity of the MitM flaw. While all versions of the OpenSSL client are vulnerable to this issue, only two server versions are vulnerable. Also, very few client programs or devices use OpenSSL to make client connections. For instance, the popular browsers aren’t vulnerable to this issue. Finally, the attacker needs to intercept traffic between the client and server for this attack to succeed. Based on these factors, Android devices running on wireless networks pose the most risk, since Android is one of the platforms that uses the OpenSSL client, and wireless networks make it easier to intercept other’s traffic.

In the end, these flaws are not as severe as the previous Heartbleed vulnerability (attackers could exploit that from anywhere, without intercepting traffic). Nonetheless, we highly recommend OpenSSL administrators install the patch immediately, and start looking for updates from other vendors who use OpenSSL in their own products.

WatchGuard Products – (Updated on Jun-17)

Finally, WatchGuard appliances are affected by some of these vulnerabilities (to varying degrees). Although they do not have the same level of impact as Heartbleed, a broader range of OpenSSL versions are vulnerable. WatchGuard products impacted are:

  • Fireware XTM version 11.3 to 11.9 and associated WSM management software
  • SSL VPN clients for XTM
  • XCS
  • SSL VPN appliance

The level of risk is relatively low, but WatchGuard will release updated versions for all affected software for devices that are under support. Unlike Heartbleed, certificates do NOT need to be updated. Our IPS signature team has also released signatures to address one of the vulnerabilities (CVE-2014-3466) in signature set 4.422. Estimated release dates and version numbers for patched firmware, including SSL VPN clients, are:

  • XCS Hotfix – June 10th for version 10, June 11th for version 9. Posted!
  • 11.3.8 – June 12th (for e-Series devices) – Posted
  • 11.6.8 – June 13th (for XTM 21/22/23 devices) – Posted
  • 11.7.5 – June 12th – Posted
  • 11.8.4 – June 23rd – Posted
  • 11.9.1 – June 24th – Posted

These dates are subject to change depending on outcome of Quality Assurance process. WatchGuard will continue to provide latest information about these vulnerabilities and latest status on release dates in this blog post.

— Corey Nachreiner, CISSP (@SecAdept),  Brendan Patterson, CISSP

 

New Releases: Fireware XTM 11.9 and Dimension 1.2

WatchGuard has posted major new software releases this month. We are pleased to announce that Fireware 11.9, WSM 11.9, and Dimension 1.2 are now available to download. WatchGuard’s newest releases give WatchGuard NGFW and UTM appliances – including XTM Series and Firebox T10 models – a host of new features. Highlights include:

APT Blocker – WatchGuard’s newest security module. Networks are vulnerable to advanced malware that relies on highly sophisticated detection evasion to hide their attacks. APT Blocker uses a cloud-based sandbox with full system emulation (CPU and memory) to detect and block advanced malware and zero day attacks that signature-only solutions miss.

WatchGuard Dimension™ is the award-winning security intelligence and visibility solution that is included at no charge with all WatchGuard network security solutions. Dimension 1.2 includes new reports for APT Blocker, performance enhancements, and translation into local languages.

Traffic Management: Fireware 11.9 enables administrators to preserve expensive Internet bandwidth connections for those business-critical applications that truly need it, with the ability to control and limit bandwidth use for applications, application categories, IP addresses, and VLANs.

Gateway Wireless Controller:  A new interactive, graphical wireless coverage map helps administrators to quickly achieve the optimal arrangement and configuration of wireless access points in their buildings.

Plus many, many more enhancements including IPv6 dynamic routing, custom DLP rules, Q-Radar SIEM integration, and custom network zones. Full details including screenshots are provided in the presentations: What’s New in 11.9 and What’s New in Dimension 1.2.

Does This Release Pertain to Me?

This release applies to the Firebox® T10 and all XTM appliances, except XTM 21/21-W, 22/22-W, and 23/23-W appliances. Please read the Fireware 11.9 Release Notes and Dimension 1.2 Release Notes before you upgrade, to understand what’s involved and to see the complete list of all resolved issues and new enhancements in the software.

How Do I Get the Release?

XTM and Firebox T10 appliance owners who have a current LiveSecurity® Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Software section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article” and “Known Issue” search options, and press the Go button.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375

Don’t have an active LiveSecurity subscription for your XTM appliance? It’s easy to renew. Contact your WatchGuard reseller today. Find a reseller

11.8.3 Update 1 now available to fix Heartbleed vulnerabilty in Fireware XTM OS

New Release: Fireware XTM 11.8.3 Update 1
Yesterday we posted an update about the Heartbleed vulnerability (CVE-2014-0160) in OpenSSL. We are pleased to announce that 11.8.3 Update 1 is now available at the software download site with a critical patch to address this issue in WatchGuard appliances.  We recommend you update immediately if you use Fireware XTM v11.8.x. This flaw does not affect appliances running Fireware XTM v11.7.4 or earlier.

WatchGuard is not aware of any breaches involving this vulnerability, but because of its critical nature and the length of time it has been available to exploit, we recommend that you take measures to change passwords and renew certificates used in your XTM device after you upgrade. We have published a knowledge base article with details on how to do this. 

The WatchGuard IPS service now includes four signatures  in the version 4.404 set that protect against exploits of the heartbleed vulnerability.

Does This Release Pertain to Me?
This release applies to all XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W appliances, but only those running 11.8.x versions of the firmware. Please read the Release Notes before you upgrade, to understand what’s involved.

What about other WatchGuard products?
WatchGuard SSL VPN, Dimension and the WSM Management software are not affected. Yesterday we reported that there is an impact on the SecureMail functionality in XCS. On further analysis, we’ve determined that this is even less than thought. The vulnerable OpenSSL library is used within XCS only for communications between the XCS appliance and our SecureMail encryption provider, Voltage. XCS acts as a client for those connections, not a listening server. Therefore, the flaw could only be exploited by Voltage themselves, and no one else; as such, we believe there is no actual risk. Nevertheless, we are building a hotfix that we hope to release by the end of the week.

How Do I Get the Fireware XTM Release?
XTM appliances owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Software section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article”, and “Known Issue” search options, and press the Go button.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

The Heartbleed OpenSSL Vulnerability; Patch OpenSSL ASAP

On Monday, the OpenSSL team released a critical update for their popular SSL/TLS package, which fixes a serious cryptographic weakness in their product. If you use OpenSSL, you should read up on this issue and update OpenSSL immediately. WatchGuard products, like many others that use OpenSSL, are affected by this issue. We are currently working on updates to fix the flaw.

OpenSSL is a very popular implementation of the SSL/TLS cryptography protocols, used to encrypt many network communications, including secure web communications. This week, a Google security researcher disclosed a serious vulnerability (CVE-2014-0160) that affects OpenSSL 1.0.1 – 1.0.1f (and 1.0.2-beta), which is colloquially being called “The Heartbleed Bug.” The issue does not affect OpenSSL 0.9.8 and below.

The flaw has to do with the TLS heartbeat extension. Without going into all the technical details, a remote attacker could exploit this flaw to repeatedly reveal 64K of memory contents from a SSL/TLS connected client or server. 64K of memory might seem small, but an attacker could repeatedly exploit this flaw to gather enough contents from memory to compromise SSL key material, certificates, usernames, passwords, and potentially gain access to your entire decrypted communications. For complete details on the flaw, including a FAQ answering the most common question, I recommend you check out the Heartbleed web page.

This is a very serious vulnerability to a package than many products rely on to secure web communications. If you use the 1.0.1 branch of OpenSSL yourself, you need to update to 1.0.1g. Furthermore, this flaw will likely affect many other products you might use. Be sure to look out for alerts from your vendors on this issue.

Finally, WatchGuard XTM and XCS appliances are affected by this vulnerability (to varying degrees). Our engineering team is currently working on a fix for the issue. We should be releasing an XTM 11.8.3 CSP update shortly, which will fix the issue for XTM appliances. By the way, the flaw only affect 11.8.x versions of XTM. If you are using XTM 11.7.x or below, it uses an older version of OpenSSL which is not affected by this issue. Also, the XCS appliances are only affected if you use SecureMail. Finally, WatchGuard’s SSL VPN appliances are NOT affected by the issue since they use older versions of OpenSSL.

Please keep an eye on this blog for more details as we will post the update as soon as it’s available and tested. — Corey Nachreiner, CISSP (@SecAdept

 

WatchGuard Releases SSL VPN 3.2 Update 1

A critical update has been released for WatchGuard SSL VPN appliances.

The SSL VPN 3.2 Update 1 release includes an updated Java certificate that will prevent certificate expiration warnings each time you use a Java-based access client. The SSL certificate used by the software to sign Java applications expires on 8 April 2014. This release also resolves a compatibility issue with Java version 7u51 and later. It includes many bug fixes which were previously only provided in Cumulative Service Packs (CSPs). The Release Notes list all resolved issues in the software.

Does This Release Pertain to Me?

This release applies to all WatchGuard SSL VPN 100 and 560 appliances. WatchGuard recommends that all SSL VPN customers should deploy this upgrade to avoid unnecessary java warnings.

How Do I Get the Release?

SSL appliance owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Software section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article” and “Known Issue” search options, and press the Go button. Please read the Release Notes before you upgrade, to understand what’s involved.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

  • U.S. End Users: 877.232.3531
  • International End Users: +1.206.613.0456
  • Authorized WatchGuard Resellers: +1.206.521.8375
Follow

Get every new post delivered to your Inbox.

%d bloggers like this: