11.8.3 Update 1 now available to fix Heartbleed vulnerabilty in Fireware XTM OS

New Release: Fireware XTM 11.8.3 Update 1
Yesterday we posted an update about the Heartbleed vulnerability (CVE-2014-0160) in OpenSSL. We are pleased to announce that 11.8.3 Update 1 is now available at the software download site with a critical patch to address this issue in WatchGuard appliances.  We recommend you update immediately if you use Fireware XTM v11.8.x. This flaw does not affect appliances running Fireware XTM v11.7.4 or earlier.

WatchGuard is not aware of any breaches involving this vulnerability, but because of its critical nature and the length of time it has been available to exploit, we recommend that you take measures to change passwords and renew certificates used in your XTM device after you upgrade. We have published a knowledge base article with details on how to do this. 

The WatchGuard IPS service now includes four signatures  in the version 4.404 set that protect against exploits of the heartbleed vulnerability.

Does This Release Pertain to Me?
This release applies to all XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W appliances, but only those running 11.8.x versions of the firmware. Please read the Release Notes before you upgrade, to understand what’s involved.

What about other WatchGuard products?
WatchGuard SSL VPN, Dimension and the WSM Management software are not affected. Yesterday we reported that there is an impact on the SecureMail functionality in XCS. On further analysis, we’ve determined that this is even less than thought. The vulnerable OpenSSL library is used within XCS only for communications between the XCS appliance and our SecureMail encryption provider, Voltage. XCS acts as a client for those connections, not a listening server. Therefore, the flaw could only be exploited by Voltage themselves, and no one else; as such, we believe there is no actual risk. Nevertheless, we are building a hotfix that we hope to release by the end of the week.

How Do I Get the Fireware XTM Release?
XTM appliances owners who have a current LiveSecurity Service subscription can obtain this update without additional charge by downloading the applicable packages from the Articles & Software section of WatchGuard’s Support Center. To make it easier to find the relevant software, be sure to uncheck the “Article”, and “Known Issue” search options, and press the Go button.

If you need support, please enter a support incident online or call our support staff directly. (When you contact Technical Support, please have your registered Product Serial Number, LiveSecurity Key, or Partner ID available.)

About brendanpatt

Brendan Patterson is a Director of Product Management at WatchGuard Technologies, with responsibility for the WatchGuard Fireware operating system. He has worked closely with WatchGuard's security partners to deliver best of breed security services for the UTM platform. Brendan is a Certified Information Systems Security Professional (CISSP) with over 15 years experience in security and networking technologies. Prior to WatchGuard, Brendan was Vice President of Marketing at The PowerTech Group, a leader in enterprise security solutions for IBM mid-range servers. He was instrumental in expanding the product line and the successful launch of two new regulatory compliance products. Brendan has a master's degree in the Management of Technology from the Massachusetts Institute of Technology, Cambridge, Mass., and a bachelor's degree in Mechanical Engineering from the National University of Ireland.

13 Responses to “11.8.3 Update 1 now available to fix Heartbleed vulnerabilty in Fireware XTM OS”

  1. Brendan: What about Edge E-series which are not EOL as of yet and still commonly used?

  2. Are any other steps besides applying the updated needed? Shouldn’t any certificates created with the previous 11.8.x firmware be revoked and reissued? Should the device password be changed since the authentication webpage of the firewall was probably one of the components using OpenSSL?

  3. Roger B.A. Klorese Reply April 10, 2014 at 2:49 pm

    We will have a Knowledge Base article with detailed instructions up shortly. (Short answer: yes and yes.)

  4. Hi, I downloaded and installed the 11.8.3 U1 on our XTM boxes, but seems like the version number is not updated or at least does not show any indiacation that it is the U1 version in WSM. Using FSM I noticed the build version is 446065 but I don’t know what it was before, is this the correct build number for U1 or did I do something wrong?

    • Yes. That is the correct build number. We do not show Update 1 in the UI. Given the need to make an update available very quickly for this issue, we did not increment the minor revision number.

  5. So you’re going to charge me to make sure people can’t hack the firewall I bought from you?

  6. I was wondering if we also need to update the sslvpn client? The latest openvpn client 2.3.3 contains OpenSSL 1.0.1g, but Watchguard is still using OpenVPN 2.1_rc9.

    • Ah, found out OpenVPN 2.1 rc9 is using OpenSSL 0.9.8h and should not be affective, but nevertheless I would appreciate if watchguard updates the client, because there were a lot of issues, bug and security flaws for those older versions.

  7. Yes. The SSL VPN client is not affected by Heartbleed. We will look at upgrading the version used in the client in a future release.

  8. You will need to send a dispute letter to the credit bureaus and they
    will investigate with your creditors. Only one website has your free
    annual credit report and that is Annual – Credit
    – Report. There are many types of direct lenders you
    can choose from such as: banks, savings associations,
    mortgage companies and credit unions.

  9. Today, I went to the beachfront with my children. I found
    a sea shell and gave it to my 4 year old daughter and said “You can hear the ocean if you put this to your ear.” She put the shell to her ear and screamed.
    There was a hermit crab inside and it pinched her ear.

    She never wants to go back! LoL I know this is totally
    off topic but I had to tell someone!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: