Dell SonicWall Heartbleed follow-up and additional information

Dmitriy Ayrapetov

Director, Product Management – Network Security

I would like to follow up on Heartbleed and the information that is available for your use.

First, on the product side, you all should be aware of the following:

a.       Firewalls:  not vulnerable and have been providing protection against Heartbleed since April 8^th (for more info, click on the blog and read the rest of the email)

b.      Email Security: not vulnerable

c.       SRA/SSL VPN: vulnerable, patches and information available in the bulletin below.

d.      GMS: UMA/VM are not vulnerable, Windows install is vulnerable, patches and information are available in the bulletin below.

We posted a product bulletin on the support section of the site for the affected products.  For your reference, here’s the direct link to the bulletin:

http://www.sonicwall.com/us/shared/download/ell_SonicWALL_-_Support_Bulletin_-_CVE-20140-1016_OpenSSL_Large_Heartbeat_Response_Vulnerability.pdf

Additionally, today we posted a blog that outlines our protection efforts over the past two weeks against HeartBleed along with some recommendations.  Please share it and use it as a resource when asked about what Dell SonicWALL firewalls can do and have done for protection.  You can find it at the following link:

http://en.community.dell.com/techcenter/b/techcenter/archive/2014/04/24/dell-sonicwall-next-generation-firewall-protection-against-heartbleed-cve-2014-0160.aspx

I received some questions asking why the firewalls were not vulnerable –whether it was IPS that protected our firewalls or is it because we do not use OpenSSL. This question came up a few times so I think it’s important to address it and for you to understand.   The firewalls DO use OpenSSL, but are inherently not vulnerable.  That means that whether or not you have IPS enabled, the firewall is not vulnerable to the attack. 

Why?

While we use OpenSSL in our products, remember that just having OpenSSL does *not* make you automatically vulnerable. What opens up a vulnerability in the product is having a version of OpenSSL (1.0.1 versions) in which the Heartbeat feature is present. We can get more granular:  What makes products vulnerable is having OpenSSL with Heartbeat feature enabled.  Without disclosing too much, I assure you that our firewalls do not fall into either one of those categories – whether for the management interface or for SSL VPN. 

All affected customers have been contacted.  Additionally, we’re looking at creating a webinar on the topic and you should see a partner communication soon as well.