Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 27 subscribers
  • Views 904 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CVE-2020-15078 - Sophos SSL VPN Client / OpenVPN

IngoKaspers_URSUSIT

Good Day everyone!

May I ask a question about the Sophos SSL VPN Client.

One of our customer is using a vulnerability scan tool (Qualys) and reporting is showing me entries from clients with installed Sophos SSL VPN Client.

Firewall Version is SFOS 18.0.5 MR-5-Build586.

When i am downloading the SSL VPN Client from User Portal - OpenVPN Version is 2.3.8.

Any chance for a new Update or do we have to change all VPN Users to Sophos Connect?

 

-------- INFO for CVE ----------

CVE-2020-15078

QID:
375518
Category:
Local
CVE ID:
CVE-2020-15078
Vendor Reference
OpenVpn
Bugtraq ID:
-
Service Modified:
05/06/2021
User Modified:
-
Edited:
No
PCI Vuln:
Yes
IMPACT:
Successful exploitation of this vulnerability allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.
SOLUTION:
Users are advised to upgrade to the latest version of the software available. Latest version of the software can be downloaded from OpenVPN



This thread was automatically locked due to age.
Parents
  • 0

    Sophos Connect uses 2.5.0. Therefore it would be affected as well, but i highly recommend to open a support case. I would assume, this is already addressed by a patch within the system without updating the version. Those vulnerability scan tools simply check versions and not exploiting the software. Therefore they do not detect the actual state. 

Reply
  • 0

    Sophos Connect uses 2.5.0. Therefore it would be affected as well, but i highly recommend to open a support case. I would assume, this is already addressed by a patch within the system without updating the version. Those vulnerability scan tools simply check versions and not exploiting the software. Therefore they do not detect the actual state. 

Children
No Data