Thread Info
  • State Verified Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 32 subscribers
  • Views 3416 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[CRITICAL] Sophos XG SSL VPN Several vulnerabilities

l0rdraiden

Sophos XG VPN SSL security is a joke

It uses TLS 1.0 with CBC

  • GCM should be the standard default or at least should be available not CBC
  • TLS 1.2/1.3 should be the standard default not 1.0/1.1

This is how a serious security company threat this:

The CBC vulnerability is a vulnerability with TLS v1. This vulnerability has been in existence since early 2004 and was resolved in later versions of TLS v1.1 and TLS v1.2.



This thread was automatically locked due to age.
Parents
  • 0

    l0rdraiden said:

    Sophos XG VPN SSL security is a joke

    It uses TLS 1.0 with CBC

    • GCM should be the standard default or at least should be available not CBC
    • TLS 1.2/1.3 should be the standard default not 1.0/1.1

    The problem of both of this is, XG is running OpenVPN 2.3.6, this version is from 2014.

    I hope It's updated soon.

  • 0 in reply to Prism

    Then is wosrt than I though, is not only a bad implementation but a total lack of security and quality standards in the development.

    If we found this withouth even trying is easy to imagine that Sophos XG foundations is full of outdated and vulnerable packages.

Reply
  • 0 in reply to Prism

    Then is wosrt than I though, is not only a bad implementation but a total lack of security and quality standards in the development.

    If we found this withouth even trying is easy to imagine that Sophos XG foundations is full of outdated and vulnerable packages.

Children
No Data