-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SOFTWARE UPDATE WATCHGUARD RELEASES SECURITY HOTFIX FOR VCLASS AND LEGACY RSSA APPLIANCES PRODUCTS AFFECTED: * Vclass appliances running the current version of Vclass software * Legacy RSSA appliances running Vclass software * Legacy RSSA appliances that have not yet upgraded to Vclass software WatchGuard is pleased to announce the immediate availability of the following hotfixes for its Vclass line of appliances and Legacy RSSA appliances. * Vclass 3.2 Hotfix 2, for Vclass and Legacy RSSA appliances running Vclass software * RSSA Appliance v. 3.0.2 Hotfix 31, for Legacy RSSA appliances not yet running Vclass software These hotfixes include remediation for the following security- related bugs in the Command Line Interface (CLI): * A "format strings" type of vulnerability in the password validation code active during remote user login using SSH. The CLI program was abnormally terminated when verifying a password having an invalid format. This has been fixed. * The SSH connection was not closed when a client logged in with a –N (do not execute remote command) option. This has been fixed. These vulnerabilities in how the CLI handles unexpected input could be exploited to gain root level access to the appliance. WatchGuard is not aware of any functioning exploit code that will yield root level control of the appliance although we believe that it is possible to develop such code. These hotfixes eliminate the vulnerabilities. WatchGuard recommends that all affected customers download, test and install the appropriate version of this hotfix as soon as is practical. We further recommend, as a matter of good practice, that you verify that only trusted hosts can connect to the CLI. WatchGuard thanks and acknowledges Joao Gouveia for his assistance in isolating these vulnerabilities HOW TO OBTAIN YOUR HOTFIX * If you are a Vclass product LiveSecurity Subscriber, obtain this hotfix by downloading it from our LiveSecurity Web site <https://www3.watchguard.com/archive/softwarecenter.asp> which also includes clear installation instructions in the release notes. * If you own a legacy RSSA appliance, have already registered your product's RSSA support contract, and upgraded it to run Vclass software, please proceed to the Legacy RSSA software download center <http://watchguard.com/vars/rssa.asp>. * If you own a legacy RSSA appliance and have not yet upgraded to Vclass software, you can download a version of the hotfix that is compatible with your current software and a copy of the release notes from the Legacy RSSA software download center <http://watchguard.com/vars/rssa.asp> * If you own a legacy RSSA appliance and do not have a Standard or Gold RSSA support contract, please register or purchase your support contract for your RSSA product by contacting WatchGuard Support Administration Department at +1.206.521.3575 between the hours of 6:00 am and 6:00 pm Pacific Time (PST/PDT, GMT -8/-7), Monday through Friday, or via e-mail at: supportid@watchguard.com <mailto:supportid@watchguard.com>. Please have the serial number of your product(s) available when you contact us and identify yourself as a "RapidStream RSSA customer." We will be happy to answer any questions about WatchGuard's support programs at that time. As always, if you need support, please enter a support incident online <https://support.watchguard.com/incidents/NewIncident.asp?> or call our support staff directly: U.S. Customers: 877.232.3531 International Customers: +1.360.482.1083 WatchGuard Partners: +1.206.521.8375 - - - ------------------------------------------------------ Copyright 2002 WatchGuard Technologies, Incorporated. All Rights Reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. All other trademarks are the property of their respective owners. You may not modify, reproduce, republish, post, transmit or distribute this content except as expressly permitted in writing by WatchGuard Technologies, Inc. ====================================================== Steve Fallin Director, Rapid Response Team mailto:steve.fallin@watchguard.com Phone +1 206 521 8340 +++++++++++++++++++++++++++++++++ WatchGuard Technologies, Inc Designing Peace of Mind (tm) 505 Fifth Avenue South, Suite 500 Seattle Wa 98104 http://www.watchguard.com -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPZS8+k3Vi9lbkWzpEQLikQCeKrE3Xy0REXvEpenfUy3M9N+3yYIAmwTP sZ8Bm5RL380Lev+PYAm38WVc =qWY9 -----END PGP SIGNATURE-----
