Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 3 answers
  • Subscribers 27 subscribers
  • Views 7979 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenSSL vulnerability in XG 16.1.1

GaryChancellor

I have been receiving many IPS entries for "OpenSSL TLSEXT_TYPE_status_request Memory Leak Denial of Service" from many different clients. According to the CVE, versions 1.0.2i contains the patch for the vulnerability. From what I can tell, Sophos XG 16.1.1 uses OpenSSL version 1.0.2e which has the vulnerability CVE-2016-6304 . Any one else having issues? What about getting a patch for this from Sophos?

Regards,

Gary



This thread was automatically locked due to age.
Parents
  • 0

    Thanks, but could You write how to fix this issue? Any ideas? What should I do? It's very strange. Till yesterday i haven't any problems with my XG firewall :/

    I have IPS entries "OpenSSL TLSEXT_TYPE_status_request Memory Leak Denial of Service" from windows 10 and android clients.

  • 0 in reply to darnoK

    Check the systems if they are using that Openssl Version and if they are vulnerable. In the case, they are not even using the OpenSSl, edit the IPS rule you are using and then remove the OpenSSL TLSEXT_TYPE......from the rule.

    If you are using the default rule, they cannot be edit, so clone it and adjust it.

    Thanks

Reply
  • 0 in reply to darnoK

    Check the systems if they are using that Openssl Version and if they are vulnerable. In the case, they are not even using the OpenSSl, edit the IPS rule you are using and then remove the OpenSSL TLSEXT_TYPE......from the rule.

    If you are using the default rule, they cannot be edit, so clone it and adjust it.

    Thanks

Children
  • 0 in reply to lferrara

    Hey, before I read your answer, I had manually updated patterns to: 

    IPS and Application signatures
    3.13.00
    -
    14:35:15, Oct 22 2016
    Success

    and restarted the UTM.

    Now when I go to IPS policy, I didn't see any "OpenSSL TLSEXT_TYPE_status_request Memory Leak Denial of Service" entries ;-) They're disappeared! I did not have to create another rule.

    The websites works now good, anything works good ;-) Very strange - isn't it ;-)

    Thank You for Your HELP ;-)

  • +1 in reply to darnoK

    Konrad,

    this is not strange. Inside the 3.13.00, OpenSSL TLSEXT_TYPE_status_request Memory Leak Denial of Service has been removed as Signature, so that's why now it works.

    Sophos XG uses IPS signature based and a false positive can occur. They removed it on time!

     

  • 0 in reply to lferrara

    Luk,

    Thanks for the responses. I understand they use a modified version of OpenSSL, but I was not sure if that meant that it would or wouldn't still have the vulnerability.

    It was the IPS signature having false positives. I did not think it was the devices because it was across several different operating systems (Windows 10, Linux, macOS, iOS, etc). I have not had any IPS issues since the 3.13.00 update this morning.

    Regards,

    Gary

  • 0 in reply to GaryChancellor

    Gary,

    XG is using an OpenSSL that does not seem to be affected by the vulnerability (version is different) but for an official answer, let's see if Sophos Developers/staff will write an officlal thread.

    The IPS signature was the issue. Even some website stopped working. Look at this thread:

    https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/82420/issues-filtering-with-major-websites

    It was a false positive for sure.

    Thanks