Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 45 subscribers
  • Views 3981 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[CRITICAL] Sophos XG SSL VPN Several vulnerabilities

l0rdraiden

Sophos XG VPN SSL security is a joke

It uses TLS 1.0 with CBC

  • GCM should be the standard default or at least should be available not CBC
  • TLS 1.2/1.3 should be the standard default not 1.0/1.1

This is how a serious security company threat this:

The CBC vulnerability is a vulnerability with TLS v1. This vulnerability has been in existence since early 2004 and was resolved in later versions of TLS v1.1 and TLS v1.2.



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to LuCar Toni

    I can confirm this, It's using TLSv1.2 now.

    Tue Apr 14 14:42:43 2020 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

     

    But, what about AES-GCM? Will it ever be supported on XG?

    Also will the OpenVPN Server on XG get updated someday, or It will only receive patch's?

     

    Thanks!

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 EAP @ Home

    Sophos ZTNA (KVM) @ Home

Children
  • +1 in reply to Prism

    As far as i know, and i am not a Product manager for XG, there are plans to do so. Stay tuned for the future releases. 

    And keep in mind, it is not as easy to update stuff like that. There are many dependencies. Still work in progress to update those modules. 

    __________________________________________________________________________________________________________________

Unfiltered HTML