This article describes the WAF behavior change and how to mitigate the risk inhered from this behavior change.
Applies to the following Sophos products and versions Sophos XG Firewall v17, v17.1, v17.5 and Sophos UTM 9.6
The background of this change is that Apache introduced TLS session tickets which are present in the WAF version that was upgraded in Sophos XG Firewall v17, v17.1 and v17.5. Later it was discovered that these session tickets can compromise forward secrecy and thus the usage of them is a security vulnerability.
If the users want to mitigate this vulnerability in the affected versions, then they can restart WAF daily to remove the old TLS session tickets so that every day a new TLS session ticket is generated minimizing the possibility of an attacker successfully breaking forward secrecy.
Sophos will fix this in the WAF side by disabling the TLS session tickets. This fix will only go into Sophos UTM v9.6 MR1 and Sophos XG Firewall v17.5 MR3. Please update your device as soon as these firmware versions are available.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.