OpenSSL Security update announced

Hello Sophos,

are Sophos firewalls (SG and XG) affected by the OpenSSL vulnerability?
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html

Ben



Edited TAGs
[edited by: emmosophos at 10:42 PM (GMT -7) on 3 Nov 2022]
Parents
  • This is confusing. In the release notes it lists one small change with no security implication that I'm aware of.

    Back in 3.0.5 it talks about a severe bug whereby if a coder passes a NULL to a particular function, OpenSSL will essentially use no encryption. So it doesn't appear to be a vulnerability in the sense that it can be exploited, but rather a problem if Sophos causes a NULL value to be passed to that function. Under those conditions, there would be no encryption.

    Still would like to know the answer, but I imagine that Sophos needs to look at its SSLVPN server code to make sure they can't accidentally pass a NULL. (If they're using openSSL's server it seems unlikely that this is a problem. It appears to mainly be related to folks using openSSL to create their own client or server.

Reply
  • This is confusing. In the release notes it lists one small change with no security implication that I'm aware of.

    Back in 3.0.5 it talks about a severe bug whereby if a coder passes a NULL to a particular function, OpenSSL will essentially use no encryption. So it doesn't appear to be a vulnerability in the sense that it can be exploited, but rather a problem if Sophos causes a NULL value to be passed to that function. Under those conditions, there would be no encryption.

    Still would like to know the answer, but I imagine that Sophos needs to look at its SSLVPN server code to make sure they can't accidentally pass a NULL. (If they're using openSSL's server it seems unlikely that this is a problem. It appears to mainly be related to folks using openSSL to create their own client or server.

Children
No Data