This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Heads up: issue with OpenSSL not patched yet

Just giving you a heads up: OpenSSL released a new version with several critical fix today. The most critical one (CVE-2014-0195) could lead to arbitrary code execution on the server in the context of the OpenSSL/OpenVPN process.

The flaw affects DTLS (i.e. mostly TLS over UDP) so, as far as I understand it, the impacted component should be the Cisco VPN client, possibly the Amazon VPC client and most likely all SSL S2S or end point that uses UDP instead of TCP.

You might want to consider limiting access to these services to known good network ranges until a patch is released.

This thread was automatically locked due to age.

0 ManuelKarl over 11 years ago

Does this mean, that we've to regenerate all certs again and updating the ssl-roadwarriors?
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 11 years ago in reply to ManuelKarl

No, my understanding this is more a man in the middle vulnerability; It does not appear to be nearly the issue Heartbleed was.

I'm quite sure Sophos will release a UTM update that includes the patch once they've applied and tested it.
Cancel
Vote Up 0 Vote Down

Cancel
0 StephaneGROBETY over 11 years ago in reply to BrucekConvergent

There are several bug fixed. One is a MITM attack that could lead to encrypted data being disclosed (but it's tricky to pull off since you really need to be in the middle and both client and server needs to be vulnerable).

The one that worries me, however, is an arbitrary code execution flaw affecting the DTLS component of OpenSSL (which is: security of datagrams). It's not widely used but if the service is reachable, it can be used to execute code on your server without authentication in the context of the root user. That's why I suggested that you firewall off everything that could be listening to the world over UDP and that could be using DTLS.

Edit: to be clear: if you get hit by this one, you will need to reinstall the firewall - including generating new certificates - since anything on the machine can be compromised. It's not limited to UTM either: everything that uses OpenSSL is potentially affected one way or another. It's not heartbleed, but it's not pretty.
Cancel
Vote Up 0 Vote Down

Cancel
0 bblank over 11 years ago

Is this the best thread to follow to watch for updates on this or will there be a more "official" thread to subscribe to?
Cancel
Vote Up 0 Vote Down

Cancel
0 teched_01 over 11 years ago

Sophos Blog | Security made simple and eventually the Sophos knowledgebase seemed to be the places for "official" with the previous OpenSSL issue.

If you have support open a case - making such questions more visible may encourage more communication.
Cancel
Vote Up 0 Vote Down

Cancel
0 NewImage over 11 years ago

Latest OpenSSL flaws can lead to information leakage, code execution and DoS | Naked Security
Cancel
Vote Up 0 Vote Down

Cancel
0 Chris McCormack over 11 years ago

While we are still investigating which vulnerabilities may impact the Sophos UTM, we currently believe it is only the man-in-the-middle vulnerability (CVE-2014-0224).

The dev teams are actively working on patches. A list of affected products and the expected patch availability has been posted on the Sophos Blog. Please check back for additional information as it becomes available.

Thanks!
- Chris.
Sophos NSG Team
Cancel
Vote Up 0 Vote Down

Cancel