OpenSSL Patches Six Vulnerabilities, Including a MitM Flaw

OpenSSL CCS InjectionToday, the OpenSSL team released a critical update for their popular SSL/TLS package, which fixes six security vulnerabilities in their product, including a relatively serious Man-in-the-Middle (MitM) flaw. If you use OpenSSL, you should read up on these issues and update OpenSSL immediately. WatchGuard products, like many others that use OpenSSL, are affected by these issues to different extents. Our engineers are diligently working to release patches for these flaws as soon as possible.

OpenSSL is a very popular implementation of the SSL/TLS cryptography protocols, used to encrypt many network communications, including secure web communications. This week, the OpenSSL team released an update that fixes six vulnerabilities, including some publicly reported ones. Combined, the flaws affect all current versions of OpenSSL to some extent.

The flaws differ technically, and in scope and impact. For instance, one is a buffer overflow flaw that could allow attackers to execute code, assuming you use a particular OpenSSL feature (DTLS), while another allows attackers to crash OpenSSL, resulting in a Denial of Service (DoS) situation. However, the flaw recieving the most attention is a MitM vulnerability involving OpenSSL’s ChangeCipherSpec functionality. In short, if an attacker can get between a client and server, both of which have vulnerable versions of OpenSSL, he can exploit this flaw to decrypt SSL communications.

While this sounds fairly serious, there are a number of mitigating factor that lessen the severity of the MitM flaw. While all versions of the OpenSSL client are vulnerable to this issue, only two server versions are vulnerable. Also, very few client programs or devices use OpenSSL to make client connections. For instance, the popular browsers aren’t vulnerable to this issue. Finally, the attacker needs to intercept traffic between the client and server for this attack to succeed. Based on these factors, Android devices running on wireless networks pose the most risk, since Android is one of the platforms that uses the OpenSSL client, and wireless networks make it easier to intercept other’s traffic.

In the end, these flaws are not as severe as the previous Heartbleed vulnerability (attackers could exploit that from anywhere, without intercepting traffic). Nonetheless, we highly recommend OpenSSL administrators install the patch immediately, and start looking for updates from other vendors who use OpenSSL in their own products.

WatchGuard Products – (Updated on Jun-17)

Finally, WatchGuard appliances are affected by some of these vulnerabilities (to varying degrees). Although they do not have the same level of impact as Heartbleed, a broader range of OpenSSL versions are vulnerable. WatchGuard products impacted are:

  • Fireware XTM version 11.3 to 11.9 and associated WSM management software
  • SSL VPN clients for XTM
  • XCS
  • SSL VPN appliance

The level of risk is relatively low, but WatchGuard will release updated versions for all affected software for devices that are under support. Unlike Heartbleed, certificates do NOT need to be updated. Our IPS signature team has also released signatures to address one of the vulnerabilities (CVE-2014-3466) in signature set 4.422. Estimated release dates and version numbers for patched firmware, including SSL VPN clients, are:

  • XCS Hotfix – June 10th for version 10, June 11th for version 9. Posted!
  • 11.3.8 – June 12th (for e-Series devices) – Posted
  • 11.6.8 – June 13th (for XTM 21/22/23 devices) – Posted
  • 11.7.5 – June 12th – Posted
  • 11.8.4 – June 23rd – Posted
  • 11.9.1 – June 24th – Posted

These dates are subject to change depending on outcome of Quality Assurance process. WatchGuard will continue to provide latest information about these vulnerabilities and latest status on release dates in this blog post.

— Corey Nachreiner, CISSP (@SecAdept),  Brendan Patterson, CISSP


About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

9 Responses to “OpenSSL Patches Six Vulnerabilities, Including a MitM Flaw”

  1. Do you have any updates on the patch release date?

  2. The hot fix for XCS 10.0 has been posted to LiveSecurity and to SCGate.

  3. While the post says XTM OS 11.8.4 is available and 11.9.1 is pending, I found the exact opposite logging into WatchGuard support. 11.9.1 is available; but 11.8.4 is nowhere to be found.

  4. 11.8.4 was released approximately 24 hours later. Thank you.

  5. hi, i have WatchGuard XTM 330, is necessary the update?

    • Yes, If you have any XTM appliance, you should update. At this point all the updates are out, including 11.9.1. If you have a 330, 11.9.1 is probably the one you want, but if you are sticking with 11.8.x for any reason, you can also install 11.8.4.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: