Dear Astaro Partners and Customers,
We work constantly to ensure all our customers' networks are secure and connected no matter what version of the Astaro Security Gateway they are running. This is why we wanted to inform our partners and customers of an upcoming software challenge we have identified that may affect installations using older versions of the Astaro Security Gateway.
Please read below:
- What is the issue?
- How can this issue be resolved?
- What can I do if I have a problem on Sept. 4th?
- Detailed “What should I do?” Workflow
In case you have any questions, don't hesitate to contact your usual Astaro representative.
Kind regards,
Your Astaro Team
———————————–
What is the issue?
Astaro products use so called X.509 certificates (think of it as a kind of digital passport – see Wikipedia) internally for VPN, Astaro RED, Mail Encryption, WebGUI and a few more areas. Such certificates are only valid for a limited amount of time and we chose to set the expiration date far into the future (>27,4 years into the future) to be sure that our customers do not experience problems with expiring certificates.
Unfortunately, we now will stumble upon a common problem known as the “Year 2038 Problem” or the “Unix Millennium Bug” (Wikipedia). Starting September 4th, 2010 the expiration date of newly created CA-certificates will be beyond Jan 19th 2038, and therefore will be invalid.
Running installations are unlikely to experience any issues, as only a few very specific and rarely used administrator actions will trigger this issue. But installing new Astaro products with software versions 7.506 and older after Sept. 4th will not work, as the initial setup will fail. Please read the “Detailed Workflow” below for more information.
How can this issue be resolved?
Update to the latest version!
The issue has been fixed with the Up2Dates 7.507 and 8.001 which were released August 13th and all existing customers should update to this version before September 4th in order to be safe. Partners and Customers who still have Astaro Appliances in stock must reinstall them with version 7.507 or 8.001 prior setup or shipment.
All Astaro downloads and un-shipped units in the warehouse have been updated! New installation images can be found here http://download.astaro.com/.
What can I do if I a have a problem on Sept. 4th?
In order to ensure that all Astaro customers receive all the help they need, all Astaro customers are entitled to call the Astaro Support Hotline directly and we are on standby for you over the whole weekend (September 4th / 5th).
If you need help, please contact your nearest location: http://www.astaro.com/support/support-hotline
Detailed “What should I do?” Workflow
Below you find all possible conditions an Astaro installation can be in and a recommendation on what should be done: (The same procedures apply for AWG/AMG/ACC installations)
ASG is running at Version 7.507 or 8.001
These customers have no problems, and do not need to do anything.
ASG is running Version 7.506 or earlier, or 8.000
These customers will experience no issues during “normal” operation, however certain actions after September 4th will trigger the problem:
Performing a factory reset will cause subsequent initial setup process to fail, which leads to no access to WebAdmin. Regenerating a Certificate Authority (like for the HTTP/S proxy, WebAdmin, or VPN/ Remote Access) will cause the problem. Certificates created using that new CA are invalid.
Activating mail encryption or Astaro RED for the first time will cause the problem. Activating the feature will fail.
Solution: Up2Date or reinstall to 7.507 or 8.001 before September 4th.
Customers which re-install their ASG/ACC using an old ISO image
These customers will have an affected installation and be in the same situation as outlined above.
Solution: Reinstall the system with the latest ISO image (7.507+ or 8.001+) which can be found at http://download.astaro.com
Partners with appliances in stock with ASG Versions 7.506 or earlier, or 8.000
These boxes are affected. Installing them after September 4th will cause the initial setup process to fail, which leads to no access to WebAdmin. Solution: Partner must update their ASG Appliances using a CD-Rom or Astaro Smart Installer before shipping to customer.
ACC is running at Version 2.200 or earlier
These customers will experience some issues.
Solution: Up2Date to 2.201, which will be released on or around August 27th.
Installations which are unable/unwilling to Up2Date to 7.507 or 8.001 or 2.201
We recommend upgrading to 7.507 or 8.001, but in case this is impossible we will provide a solution for these installations via our Pattern Up2date mechanism:
1. The unit must be online and connected to the internet
2. The customer needs to have a valid maintenance subscription
3. Pattern download/installation interval setting must not be set to “Manual”
The system searches regularly for updates and installs them automatically. After the pattern has been applied, the issue will be fixed.
All installations using 7.506 or earlier and V8.000 will receive this fix. You can easily check if this fix has been applied to your installation by checking the “Pattern Version” on the ASG dashboard. If the pattern version is greater than or equal to 20,000 than the fix has been applied.
We plan to start distributing the pattern on or around August 26th.
Solution: Do nothing and check the pattern version beginning of September.
In case you have any questions, don't hesitate to contact your usual Astaro representative.
Best regards,
Your Astaro Team
You Can Learn More About the Astaro Internet Security Product Line By Going to www.FirewallShop.com/Astaro.
The original article/video can be found at Software error in old Astaro versions – update required