Advisory: Critical vulnerability found in OpenSSL affecting Sophos products

Important: This article may continue to be updated with further advice. We therefore recommend you check back here regularly for new information.

Applies to the following Sophos product(s) and version(s)

  • Sophos UTM
  • Sophos Anti-Virus for VMware vShield

For information relating the vulnerability to other Sophos products see:

Is SafeGuard Enterprise affected by the recently identified OpenSSL leak in versions 1.0.1 to 1.0.1f (cve-2014-160)?
Is Sophos Mobile Control affected by the recently identified OpenSSL leak in versions 1.0.1 to 1.0.1f (cve-2014-160)?

What is the vulnerability?

The official CVE is tracked here and mentions versions of Open SSL used in some Sophos products (see below).

The vulnerability described uses a TLS heartbeat read overrun which could be used to reveal chunks of sensitive data from system memory of any system worldwide running the affected versions of OpenSSL – but only exposed services are immediately affected, as the bug allows to be read from the processes own memory.

For more information read our naked security blog article on the issue: Anatomy of a data leakage bug – the OpenSSL “heartbleed” buffer overflow

What versions of Open SSL are affected?

1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.

What products are affected and how is the vulnerability fixed?

The table below lists all the affected Sophos products. Important: Though other products may use SSL these are not affected and no action is required.

If you use one or more of the products mentioned below use the table to guide you on what is required. 

Sophos Product Steps to fix                                                 

UTM 9.1

 

 

 

UTM 9.2

A patch is available for the vulnerability in UTM 9.1. The overview steps are:

Install the patch
Print your configuration
Reboot the UTM
Regenerate certificates
Change your passwords

For detailed instructions see article 120851.

UTM LiveConnect Servers           Patched April 9, 2014
UTM Manager 4.105             

Patched in 4.106, available now.

See: http://blogs.sophos.com/2014/04/10/sophos-utm-manager-up2date-4-106-released/

SAV for vShield  

A patch for version 1.1 will be made available early next week.
Customers running version 1.0 will need to upgrade to 1.1 as 1.0 cannot be patched. See the Sophos Anti-Virus for VMware vShield upgrade guide on how to do this.
Further information will be provided with the patch.

 

Important: There are three primary requirements to patch the OpenSSL vulnerability, protect yourself from any future exploit attempts and to mitigate any security vulnerabilities if your certs have already been compromised

  • Apply the OpenSSL Patch
  • Regenerate all SSL certs
  • Change all passwords

Where do I get the Patch and instructions to Renegerate all SSL Certs?

The currently available patches for UTM are listed in article Heartbleed: Recommended steps for UTM. We will add details on other patches as soon as possible. Check back HERE for updates.