Innominate released a new firmware version that mitigates the OpenSSL HeartBleed vulnerability in the mGuard products, according to a report on ICS-CERT.
This vulnerability, discovered by researcher Bob Radvanovsky of Infracritical, could end up exploited remotely. Exploits that target the OpenSSL Heartbleed vulnerability are publicly available.
mGuard firmware Versions 8.0.0 and 8.0.1 suffer from the issue.
mGuard firmware Versions 8.0.0 and 8.0.1 use the OpenSSL cryptographic library and transport layer security (TLS) implementation Version 1.0.1, known to be vulnerable to the HeartBleed vulnerability.
Innominate is a Germany-based company that sells products worldwide through its international partners.
The affected products, the mGuard family of products, are industrial security routers. They are in critical infrastructure sectors, including communications, healthcare and public health, and critical manufacturing.
Because of the unpredictable memory layout of HTTPS communication, it is possible the private key of the mGuard web graphic user interface could end up disclosed. An attacker could use this key to impersonate the authenticated user and perform a man-in-the-middle attack.
CVE-2014-0160 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.
An attacker with a low skill would be able to exploit this vulnerability.
All users of the affected mGuard firmware Versions 8.0.0 and 8.0.1 should upgrade to mGuard firmware Version 8.0.2. Innominate recommends users update SSL keys on the affected products after upgrade. The mGuard firmware Version 8.0.2 provides a combined function to replace both the HTTPS and SSH keys.
For more information regarding this vulnerability and specific instructions on how to install the latest firmware version, click on the Innominate Security Advisory.