On April 7, 2014, the Heartbleed bug made industry news, as it causes a serious vulnerability to the OpenSSL cryptographic software library.
WebMux is vulnerable to the Heartbleed bug only if both SSL termination is enable (with PKI keys on the WebMux) and the webMux firmware is version 9.2.00 or newer
NOTE: If you permit access to the WebMux on port 35 (the default HTTPS administration port), this port will be vulnerable if you are running version 9.2 or newer. We recommend that you do not allow inbound access to port 35 unless it is from a trusted IP address.
Our WebMux firmware patch tackles the latest OpenSSL vulnerability (CERT Vulnerability Note VU #720951). This vulnerability is a bug in the code of the “Heartbeat Extension” (RFC 6520) for transport layer security (TLS). It allows an attacker to repeatedly retrieve 64kB chunks of data, like:
- Primary key material – secret keys
- Secondary key material – user names and passwords used by the vulnerable services
- Protected content – sensitive data used by the vulnerable services
- Collateral – memory addresses and content that can be leveraged to bypass exploit mitigations
At this time, there does not appear to be a simple method for mitigation nor detection.
If you are interested in the WebMux Heartbeat firmware update,
- Connect to your WebMux units – https://:35/cgi-bin/about
- Copy the information on the “about” page for each of your units, and paste it into an email to ‘firstname.lastname@example.org.’ A sample of an “about” page is provided below.
- Please include your name and phone number, as well as any alternate contacts.
Sample of “about” page information:
WebMux version 10.0.01p3 built Nov 20 2013 14:16:02
patch level: none
model: WebMux (part number A500X) with AAL accelerator chip
serial number A5005X-1X42817 manufactured Aug 01 2013
CPU speed: 2800.77 MHz
total memory: 8152176 k
configured as: two-armed server LAN NAT (without SNAT)