Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall

Discussions OpenSSL Security update announced

Sophos Firewall requires membership for participation - click to join

Thread Info

State Verified Answer
+1 person also asked this people also asked this
Locked Locked
Replies 3 replies
Answers 1 answer
Subscribers 41 subscribers
Views 8681 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenSSL Security update announced

Ben@Network over 2 years ago

Hello Sophos,

are Sophos firewalls (SG and XG) affected by the OpenSSL vulnerability?
https://mta.openssl.org/pipermail/openssl-announce/2022-October/000238.html

Ben

This thread was automatically locked due to age.

Top Replies

bobbylam over 2 years ago +1 verified

OpenSSL announced the details of the new vulnerabilities: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows again neither Sophos SG UTM or SFOS are affected by this.

Parents

0 Wayne Folta over 2 years ago

This is confusing. In the release notes it lists one small change with no security implication that I'm aware of.

Back in 3.0.5 it talks about a severe bug whereby if a coder passes a NULL to a particular function, OpenSSL will essentially use no encryption. So it doesn't appear to be a vulnerability in the sense that it can be exploited, but rather a problem if Sophos causes a NULL value to be passed to that function. Under those conditions, there would be no encryption.

Still would like to know the answer, but I imagine that Sophos needs to look at its SSLVPN server code to make sure they can't accidentally pass a NULL. (If they're using openSSL's server it seems unlikely that this is a problem. It appears to mainly be related to folks using openSSL to create their own client or server.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Wayne Folta over 2 years ago

This is confusing. In the release notes it lists one small change with no security implication that I'm aware of.

Back in 3.0.5 it talks about a severe bug whereby if a coder passes a NULL to a particular function, OpenSSL will essentially use no encryption. So it doesn't appear to be a vulnerability in the sense that it can be exploited, but rather a problem if Sophos causes a NULL value to be passed to that function. Under those conditions, there would be no encryption.

Still would like to know the answer, but I imagine that Sophos needs to look at its SSLVPN server code to make sure they can't accidentally pass a NULL. (If they're using openSSL's server it seems unlikely that this is a problem. It appears to mainly be related to folks using openSSL to create their own client or server.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data