OpenSSL vulnerability in XG 16.1.1

Question

I have been receiving many IPS entries for "OpenSSL TLSEXT_TYPE_status_request Memory Leak Denial of Service" from many different clients. According to the CVE, versions 1.0.2i contains the patch for the vulnerability. From what I can tell, Sophos XG 16.1.1 uses OpenSSL version 1.0.2e which has the vulnerability CVE-2016-6304 . Any one else having issues? What about getting a patch for this from Sophos? 
 Regards, 
 Gary

lferrara · Accepted Answer

Konrad, 
 this is not strange. Inside the 3.13.00, OpenSSL TLSEXT_TYPE_status_request Memory Leak Denial of Service has been removed as Signature, so that's why now it works. 
 Sophos XG uses IPS signature based and a false positive can occur. They removed it on time!

lferrara · Answer

Gary, 
 if you see these logs from Sophos IPS, there are some Computers inside that may be affected by the vulnerability. 
 
 Looking at IPS database, there are 2 rules that goes under Application and Software. Sophos XG is using a custom OpenSSL version so t should not be affected by this vulnerability. XG is using OpenSSL 1.0.2e-fips 3 Dec 2015

lferrara · Answer

Check on Internet and official page of CVE: 
 http://telussecuritylabs.com/threats/show/TSL20160923-04 
 http://www.securityfocus.com/bid/83705 
 Thanks

lferrara · Answer

Check the systems if they are using that Openssl Version and if they are vulnerable. In the case, they are not even using the OpenSSl, edit the IPS rule you are using and then remove the OpenSSL TLSEXT_TYPE......from the rule. 
 If you are using the default rule, they cannot be edit, so clone it and adjust it. 
 Thanks