Heartbleed: Recommended steps for UTM

  • Article ID: 120851
  • Rating:
  • 34 customers rated this article 4.9 out of 6
  • Updated: 11 Jul 2014

Important:  This article may receive periodic updates.  If you have any problems following the steps in this article, or a step does not return the expected results, please contact our support line through the link at the bottom of this page.

Sophos UTM v9.1 and v9.2 are affected by the OpenSSL vulnerability ('Heartbleed' bug). Therefore we strongly recommend that customers patch their Sophos UTM's. This article explains how to download the patch, apply it to your UTM and regenerate the SSL certificates.

For information on other affected products, such as Sophos UTM Manager (SUM), see KBA 120854.

Applies to the following Sophos product(s) and version(s)

Sophos UTM v9.1 and v9.2

Which UTM modules are affected?

The following modules are affected:

  • Reverse proxy
  • WebAdmin
  • SSL VPN (Remote Access and site-to-site VPN)
  • Windows clients for SSL VPN
  • RED
  • HTTP proxy
  • SMTP
  • POP3
  • Cisco VPN

Summary of steps

  1. Install the patch
  2. Print your configuration
  3. Reboot the UTM
  4. Regenerate certificates
  5. Change your passwords

Each of the steps above are explained in detail below. It is important to follow the steps in the order listed. If you have problems contact Technical Support (link at the bottom of this article).

1. Install the patch

Note: If you are already running firmware release 9.111-7 or 9.201-23 you do not need to follow this step.

How to manually apply an Up2Date package


Although the update process through WebAdmin is not affected by the Heartbleed bug, we recommend installing the patch manually through shell access (SSH) to the UTM once the UTM has been connected to the internet and your local network. Instructions for configuring shell access on the UTM is provided in KBA 115120.

Options for SSH Access to the UTM

  • Console

This is the easiest way to login to the UTM through the shell and requires no additional software like Putty. Attach a monitor and USB keyboard to the UTM and you can login directly with the root username and password you set in KBA 115120.

  • Mac/Linux

 Mac and Linux users can use the Terminal program to login remotely to the UTM

  • Windows

Download the Putty application and follow the steps in KBA 115863 to connect to the UTM through the shell.

Download updates and install 

Firmware versions between 9.100-8 to 9.107-33

First update to 9.109-1 through the UTM (Management - Up2Date) by sequentially applying the updates rather than clicking on the button "Update to latest version now".

Firmware versions between 9.109-1 and 9.2x 

  1. Logon to the shell of the UTM with the loginuser account and password (if accessing remotely and not directly from a console) and then gain root access with the command: su - (and providing the root password). If you are at a console and keyboard directly attached to the UTM, you can login directly with the root username and password.

  2. Type in: cd /var/up2date/sys to move to that directory

  3. Download the correct Up2Date packages based on your current firmware (9.1x or 9.2x) by running the appropriate wget command/lines below in bold.

    (Firmware 9.1x)

    9.109-1 update to 9.111-7
    (Heartbleed patched release)

      wget ftp://ftp.astaro.de/UTM/v9/up2date/u2d-sys-9.109001-110022.tgz.gpg
      wget ftp://ftp.astaro.de/UTM/v9/up2date/u2d-sys-9.110022-111007.tgz.gpg

    9.111-2 to 9.111-7 (Heartbleed patched release for 9.1x)

      wget ftp://ftp.astaro.de/UTM/v9/up2date/u2d-sys-9.111002-111007.tgz.gpg

    (Firmware 9.2x)

    9.200-11 to 9.201-23
    (Heartbleed patched release for 9.2x)

      wget ftp://ftp.astaro.de/UTM/v9/up2date/u2d-sys-9.200011-201023.tgz.gpg

  4. Run the follow command to start the update: auisys.plx --showdesc

  5. Run the following command to finish the update: cc system_up2date system_update

    Note:
    The System administrator will receive a notification email once the Up2Date process has finished.

  6. System will automatically reboot after the patch was applied.

    Note: If you are not familiar (or comfortable) with accessing the UTM through the shell and running these manual update commands, please contact our support service through the link at the bottom of this page.

In case you have a new UTM device which has never been connected to the internet and your local network:

In this case you have the option to install the package via the WebAdmin. 

Before you can trigger the update you have to download the needed package to your local system:

9.107-33.1 update to 9.109-1 

ftp://ftp.astaro.de/UTM/v9/up2date/u2d-sys-9.107033-108023.tgz.gpg (MD5) (first update: from 9.107 to 9.108)

ftp://ftp.astaro.de/UTM/v9/up2date/u2d-sys-9.108023-109001.tgz.gpg (MD5) (second update: from 9.108 to 9.109)

9.109-1 update to 9.111-7 (both updates are needed)

ftp://ftp.astaro.de/UTM/v9/up2date/u2d-sys-9.109001-110022.tgz.gpg (MD5) (first update: from 9.109 to 9.110)

ftp://ftp.astaro.de/UTM/v9/up2date/u2d-sys-9.110022-111007.tgz.gpg (MD5) (second update: from 9.110 to 9.111)

9.111-2 to 9.111-7 (Heartbleed patched release for 9.1x)

ftp://ftp.astaro.de/UTM/v9/up2date/u2d-sys-9.111002-111007.tgz.gpg (MD5)

9.200-11 to 9.201-23 (Heartbleed patched release for 9.2x)

ftp://ftp.astaro.de/UTM/v9/up2date/u2d-sys-9.200011-201023.tgz.gpg (MD5)

Now you can install the package via the WebAdmin. Therefore proceed as follows:

Note: Please repeat these steps for the Upload until you are at least on version 9.111-7

  1. Login to the WebAdmin
  2. Navigate to Management | Up2Date | Advanced
  3. Click on the Folder icon
  4. Now click on Choose File to select the regarding package which you just downloaded from you local system
  5. Once you selected the correct package click on "Start Upload"
  6. When the upload has been completed click on Apply
  7. To start the update switch to Management | Up2Date | Overview and click on on the button "Update to latest version now"

For more detailed information please check our update instructions for new Sophos UTM hardware:

Instructions for new Sophos UTM hardware

2. Print your configuration

To ensure you have a copy of your current configuration, logon to the WebAdmin and navigate to Support | Printable Configuration and save the output locally.

3. Reboot the UTM

Navigate to Management | Shutdown/Restart and click on Restart (Reboot) the system now

4. Regenerate Certificates and regarding CAs

The next step is to regenerate the certificates for the following modules:

For WebAdmin:

Note: It is not sufficient to only regenerate the certificate for the WebAdmin via the section Re-generate WebAdmin certificate in the WebAdmin. You first of all have to regenerate the CA via the CC. If you missed this step because of the initial version of this KB article please consider this step.

To regenerate the CA proceed as follows:

  1. Login to the shell of the UTM first as loginuser and then get root: su -
  2. Now type in the following command to open the ConfdClient: cc
  3. Within the ConfdClient type use the command: RAW
  4. Now regenerate the CA with:

    ca_generate_signing_ca
    ({name=>'webadmin ca', key_size=>2048, country=>'CountryAcronym', state=>'StateName', city=>'CityName', organization=>'OrganizationName', common_name=>'UTMhostname', email=>'mailaddress@maildomain.com'})

    Note:
    Adapt the country, state, city, organization, common_name and email strings to your own UTM settings (country field must be in caps - eg. CA, DE)

    The result should be result: 'REF_CaSigWebadminCa2'

  5. Next step is to switch to Main Mode: MAIN
  6. Navigate to: webadmin
  7. Now type in: ca$
  8. The last step is to assign the new CA to the WebAdmin with: =REF_CaSigWebadminCa2
    Note: The result should be 1.

Next step is to re-generate the certificate for WebAdmin with the new CA, proceed as follows:

  1. Navigate to 'Management | WebAdmin Settings | HTTPS Certificate'.
  2. In the area Re-generate WebAdmin certificate click 'Apply'.

The WebAdmin certificate will be regenerated. Your UTM will reload automatically and you will have to re-login.

For IPSec Site-to-Site VPN:

If you use the UTM's VPN CA for IPSec Site-to-Site VPN as for SSL Site-to-Site VPN proceed as follows:

Note: If you are only using IPSec Site-to-Site VPN without SSL Site-to-Site VPN you do not have to consider these steps.

  1. Navigate to 'Site-to-site VPN | Certificate Management | Advanced'.
  2. Click Apply.
    A warning appears which informs you about the impact on all VPN user certificates.
  3. Confirm the warning by clicking OK.

The CA will be regenerated. UTM informs you about success.

For SSL Site-to-Site VPN:

In case you are using SSL Site-to-Site VPN proceed as follows:

  1. Navigate to 'Site-to-site VPN | Certificate Management | Advanced'.
  2. Click Apply.
    A warning appears which informs you about the impact on all VPN user certificates.
  3. Confirm the warning by clicking OK.

The CA will be regenerated. UTM informs you about success.

Note: Once the CA is regenerated for the SSL Site-to-Site VPN you have to deploy the new VPN configuration to the remote gateway as regenerating the CA will result in a loss of the VPN connection for the remote gateway.

For IPSec Remote Access VPN:

If you use the UTM's VPN CA for IPSec Remote Access VPN as for SSL Remote Access VPN proceed as follows:

Note: If you are only using IPSec Remote Access VPN without SSL Remote Access VPN you do not have to consider these steps.

  1. Navigate to 'Remote Access | Certificate Management | Advanced'.
  2. Click Apply.
    A warning appears which informs you about the impact on all VPN user certificates.
  3. Confirm the warning by clicking Ok.

The CA will be regenerated. UTM informs you about success.

For SSL Remote Access VPN:

In case you are using SSL Remote Access VPN proceed as follows:

  1. Navigate to 'Remote Access | Certificate Management | Advanced'.
  2. Click Apply.
    A warning appears which informs you about the impact on all VPN user certificates.
  3. Confirm the warning by clicking Ok.

The CA will be regenerated. UTM informs you about success.

Note: Once the CA is regenerated you have to deploy the new VPN configuration to all of your clients as regenerating the CA will result in a loss of the remote connection for all VPN clients.

Note for SSL VPN Client: To protect clients against malicious SSL VPN servers and man-in-the-middle attacks, it is highly recommended to not only redeploy new SSL VPN configurations, but also update the client to the latest version.

For HTML5 VPN Portal:

If you use HTTPS encrypted HTML5 VPN portal connections to UTM or SUM you have to regenerate the certificates. Proceed as follows:

  1. Navigate to 'Remote Access | HTML5 VPN Portal | Global'.
  2. Click Edit next to the affected HTML5 VPN Portal connection.
  3. Paste the regenerated host certificate into the field 'SSL host certificate'.
  4. Click Save.

The regenerated certificate is active.

For Cisco VPN:

If you use the UTM's VPN CA for Cisco VPN as for SSL Remote Access VPN proceed as follows:

Note: If you are only using Cisco VPN without SSL Remote Access VPN you do not have to consider these steps.

  1. Navigate to 'Remote Access | Certificate Management'
  2. Click  'New certificate...'
  3. Fill in the credentials for the new certificate(keep in mind that the common name (CN) in the server certificate has to match the hostname)
  4. Navigate to 'Remote Access | Cisco VPN Client' and choose the newly created certificate in the server settings
  5. Click 'Apply'

The regenerated certificate is active.

Note: Once the CA is regenerated you have to deploy the new VPN configuration to all of your clients as regenerating the CA will result in a loss of the remote connection for all VPN clients.

For Webserver Protection:

To regenerate the certificates for Webserver Protection, proceed as follows:

  1. Navigate to 'Webserver Protection | Web Application Firewall | Virtual Webserver'.
  2. Click next to the affected virtual webserver (with HTTPS encryption) on Edit.
  3. Select the regenerated certificate.
  4. Regenerated certificates can be recognized by the ‘(regenerated)’ information next to the certificate name.
  5. Click Save.

The regenerated certificate is active now.On demand repeat this for other affected virtual webservers.

For SMTP:

If you use certificates for SMTP which were generated by the UTM and you use TLS settings regenerate the certificates for SMTP.
Proceed as follows:

  1. Regenerate the certificate that you selected for the SMTP TLS settings in 'Email Protection | SMTP | Advanced'.
  2. Navigate to 'Email Protection | SMTP | Advanced'.
  3. In the TLS settings area select the regenerated certificate.
    Regenerated certificates can be recognized by the ‘(regenerated)’ information next to the certificate name.
  4. Click Apply.

The regenerated certificate is active.

For POP3:

If you use certificates for POP3 which were generated by the UTM and you use TLS settings regenerate the certificates for POP3.
Proceed as follows:

  1. Regenerate the certificate that you selected for the POP3 TLS settings in 'Email Protection | POP3 | Advanced'.
  2. Navigate to 'Email Protection | POP3 | Advanced'.
  3. In the TLS settings area select the regenerated certificate.
    Regenerated certificates can be recognized by the ‘(regenerated)’ information next to the certificate name.
  4. Click Apply.

The regenerated certificate is active.

For RED:

If you use RED devices it is necessary to delete them all and reconfigure them. Proceed as follows:

  1. Navigate to 'RED Management | [Server] Client Management'.
  2. Select all REDs by clicking on the checkbox in the table header of the first column.
  3. Click Delete.
    All REDs will be deleted.
  4. Navigate to 'RED Management | Global Settings'.
  5. Deactivate RED by clicking the toggle switch.
    RED will be deactivated and the toggle switch turns red.
  6. Activate RED by clicking the toggle switch again.
  7. Add your RED devices manually.

Alternatively you can use the following knowledge base article to reconfigure all RED devices at once: KBA 120916

Once you reconfigured the RED devices you have to reassign the interfaces. Therefore proceed as follows:

  1. Navigate to 'Interfaces & Routing | Interfaces'
  2. Now click on Edit for all RED interfaces which are marked as unassigned
  3. To reassign the interface you just have to select the newly created RED as Hardware and click on Save

Do NOT restore the devices with help of backups because it may be that then affected certificates will be restored, too.

For HTTP Proxy:

If you use HTTPS encrypted CAs for HTTP proxy, proceed as follows:

  1. Navigate to 'Web Protection | Filtering Options | HTTPS CAs'.
  2. In the Signing CA area click on Regenerate.
    A dialogue with credentials for the CA appears.
  3. On demand change the credentials and click Save.

The CA's will be regenerated.

For Client Authentication:

If you use the feature Client Authentication, proceed as follows:

  1. Login to the shell of the UTM first as loginuser and then get root: su -
  2. Now use the following command to regenerate the CA: cc set endpoint aac ca ''
    Note:
    the quotation marks belong to this command
  3. Then regenerate the certificate: cc set endpoint aac cert ''
    Note:
    the quotation marks belong to this command
  4. Navigate to Definitions & Users | Client Authentication and download the regarding installation package for your clients
  5. Once the package has been downloaded remove the old version from the client and install the new package.

5. Change your passwords

Once the system has been patched and all certs regnerated please change the security credentials for:

  • All users with administration rights in 'Definitions & Users | Users & Groups'
  • The loginuser and root for the shell access
  • All other users in 'Definitions & Users | Users & Groups'
  • Credentials used in affected services (in the worst case this may even include credentials for authentication services such as Active Directory etc.)

Additional Security Suggestions

  • Do NOT restore any old backups - These may contain compromised certificates. After performing the changes above create new backups.

  • If you identify unexpected or suspicious behavior on the UTM, or unexpected user sessions, it is recommended that you re-image the UTM - see KBA 115879.
    Note: If you re-image the UTM you have the option to import a backup of your configuration which is not containing unique site data after the re-image has been performed. This one has to be created as follows:
    1. Navigate to Management | Backup/Restore | Backup/Restore
    2. Tick the option Unique site data (License, passwords, certificates/keys, endpoints) so the backup does not contain these information
    3. Click on Create backup now and save it to your local system
  • Consider implementing Two Factor Authentication (available as "One Time Password" or OTP) in UTM Firmware 9.2 - see KBA 120324.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments