[CRITICAL] Sophos XG SSL VPN Several vulnerabilities

Hi All,

This is being tracked under the ID NC-53896, and the fix is scheduled to be included in the upcoming SFOS v18 MR1 release.

Regards,

There is nothing in MR1 abour this, I guess we will need to wait to MR2 at least.

Tested it with V18.0 MR1. Works fine now. 

Tue Apr 14 19:39:14 2020 [10017] ::ffff:Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

Used OpenVPN on iOS with Minimum TLS version set to 1.2. 

I can confirm this, It's using TLSv1.2 now.

Tue Apr 14 14:42:43 2020 Control Channel: TLSv1.2, cipher TLSv1.2 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

But, what about AES-GCM? Will it ever be supported on XG?

Also will the OpenVPN Server on XG get updated someday, or It will only receive patch's?

Thanks!

As far as i know, and i am not a Product manager for XG, there are plans to do so. Stay tuned for the future releases. 

And keep in mind, it is not as easy to update stuff like that. There are many dependencies. Still work in progress to update those modules. 

As far as i know, and i am not a Product manager for XG, there are plans to do so. Stay tuned for the future releases. 

And keep in mind, it is not as easy to update stuff like that. There are many dependencies. Still work in progress to update those modules.