Security Advisory
Original Publication Date: 11-04-2014
Updated Date: 26-04-2014 On Monday, the OpenSSL team released a critical update for their popular SSL/TLS package (OpenSSL 1.0.1g), which fixed the OpenSSL Heartbleed Vulnerability. Cyberoam, like many others also use OpenSSL but we are happy to announce that most of the publicly available versions of CyberoamOS are not affected, as they do not run on these compromised versions of OpenSSL. Only limited number of customers have affected versions. For the affected versions, Cyberoam has released a firmware upgrade 10.6.1 RC-4 on April 12, 2014. We request all the customers using the affected versions to upgrade to this version immediately. Note: This advisory will be updated as additional information is available. What is the Heartbleed Vulnerability? An information disclosure vulnerability (CVE-2014-0160) has been discovered in 1.0.1 and 1.0.2-beta releases of OpenSSL versions including 1.0.1f and 1.0.2-beta1. This vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension. The vulnerability may allow an attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server. This means, an attacker can access sensitive information (read: private keys, login credentials for Internet Banking, Emails, Social Networking sites etc. or contents of encrypted traffic) from a connected client or server by sending specially-crafted TLS “heartbeat” requests. Affected CyberoamOS Versions
· 10.6.0 Beta-3
· 10.6.1 RC-1 Workaround
1. Firmware Fix
The vulnerability is fixed in firmware 10.6.1 RC-4 and Cyberoam has released the firmware upgrade for the affected CyberoamOS versions on April 12, 2014. Please note that this vulnerability does not affect anyone using any other earlier versions of CyberoamOS.
Obtaining Fixed Firmware
Cyberoam customers using the affected versions can download the fix firmware 10.6.1 RC-4 from the Dashboard of their Appliances.
2. IPS Signature
To mitigate the heartbleed vulnerability, Cyberoam has released IPS Signature Versions 3.11.61 and 5.11.61 containing an IPS signature named “OpenSSL TLS DTLS Heartbeat Information Disclosure”. By default, once the IPS policy with signature “OpenSSL TLS DTLS Heartbeat Information Disclosure” is applied through Firewall, all the SSL connections attempting to exploit the said vulnerability will be dropped. We request all Cyberoam customers to verify the version of IPS Signature from the Dashboard of their Appliances.
Click here to read the Release Notes for IPS SignatureVersions 3.11.61 and 5.11.61. Click here for detailed information on applying Firmware Fix and updating IPS Signature Version. 3. After upgrading or taking steps to mitigate this vulnerability, Cyberoam also recommends all the customers to apply the fix provided by the OpenSSL team in their applications such as Web services etc. which use the comprised versions of OpenSSL. 4. Cyberoam recommends to disable all the non mission-critical SSL services and applications running on the compromised OpenSSL versions. 5 . In addition, Cyberoam recommends to renew/update all Digital Certificates including Appliance Certificate, SSL CA Certificate and Self Signed Certificate. Click here for detailed information on renewing/updating a Digital Certificate. References · http://heartbleed.com/ Revision History Revision 1.0 | 11 April 2014 | Initial public release containing information about Affected CyberoamOS Versions and How to Mitigate the Vulerability using Cyberoam IPS. | Revision 1.1 | 12 April 2014 | Updated Solution section with information about CyberoamOS firmware upgrade that addresses the vulnerability. | Revision 1.2 | 14 April 2014 | Updated Solution section with links for Release Notes of IPS Signature Versions 3.11.61 and 5.11.61 | Revision 1.3
| 26 April 2014 | Updated Solution section with links of KB articles titiled “Mitigate Heartbleed Vulnerability: Firmware Fix” and “Mitigate Heartbleed Vulnerability: Additional Security Fix”. |
Document Version: 1.3-26/04/2014
| 
