Innominate mGuard OpenSSL HeartBleed Vulnerability

Act NowICS-CERT ICSA-14-105-02AJan 16, 2014

Summary

Innominate mGuard versions 8.0.0 and 8.0.1 contain the OpenSSL HeartBleed vulnerability (CWE-119), which allows remote memory disclosure without authentication. An attacker can read up to 64 KB of unencrypted memory from the device, potentially exposing private keys, session credentials, or operational data. The vulnerability is actively exploited in the wild, and Innominate has not released a patched version for these product lines.

What this means

What could happen

An attacker could read sensitive memory from the mGuard device, potentially exposing encryption keys, credentials, or operational data being processed by the firewall. This memory disclosure could compromise the confidentiality of traffic the device is supposed to protect.

Who's at risk

Industrial firewall and network security operators using Innominate mGuard devices (versions 8.0.0 and 8.0.1) in water authorities, electric utilities, and manufacturing facilities. This includes any organization relying on the mGuard for encryption, VPN termination, or secure remote access to OT networks.

How it could be exploited

An attacker sends a specially crafted HeartBeat request to the OpenSSL service running on the mGuard device. The vulnerable OpenSSL library returns up to 64 KB of unencrypted memory from the device's RAM without requiring authentication. This memory may contain private keys, session tokens, or plaintext operational data.

Prerequisites

Network access to the mGuard device on the port running OpenSSL (typically port 443 or 500 for IKE/VPN)

Remotely exploitableNo authentication requiredLow complexityActively exploited (KEV)High EPSS score (94.5%)No patch availableMemory disclosure of secrets

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (1)

ProductAffected VersionsFix Status

mGuard: 8.0.0|8.0.18.0.0|8.0.1No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDImplement network-level access controls to restrict connections to the mGuard device to trusted engineering workstations and management networks only.

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGAssume any credentials or keys stored on or passing through the mGuard device since deployment may be compromised; schedule key rotation and credential resets after the device is secured or replaced.

HARDENINGEvaluate replacement or retirement of mGuard versions 8.0.0 and 8.0.1, as the vendor has stated no fix is available.

Mitigations - no patch available

0/1

mGuard: 8.0.0|8.0.1 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate the mGuard device on a separate management VLAN if possible to limit lateral movement if the device is compromised.

CVEs (1)

CVE-2014-0160

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/72a3dbda-d4ba-407e-b197-7210ba6c334a