OpenSSL man-in-the-middle vulnerability – Network Gateway product patch information

On June 5th, 2014 a vulnerability (CVE-2014-0224) was found in OpenSSL that impacts our network security products. Fortunately, as of the publication of this article, there are no known in-the-wild attacks. Of course, as you’ve come to expect from Sophos, we’ve wasted no time in getting to work on patches to fix this vulnerability.

The vulnerability exists in OpenSSL and can allow an attacker using a man-in-the-middle attack to decrypt and modify traffic between a vulnerable client and server. Both client and server must be vulnerable for this exploit to work. OpenSSL versions 1.0.1 and 1.0.2-beta are affected.

At this time, we believe other vulnerabilities discovered this week in OpenSSL do not impact our network security products.

The following Sophos Network Security products and versions require a patch - we are working on them with the highest priority:

  • Sophos UTM v9.2
  • Sophos UTM v9.1
  • Sophos UTM v8.3
  • SUM v4.1/4.2
  • Sophos Web Appliance v3.9.x.x
  • Sophos Email Appliance v3.7.x.x
  • PureMessage for UNIX

For further information on all affected Sophos products, including patch availability, read the Knowledgebase article.

Once available, updates will be provided by the normal means for your product.

Fortunately, this vulnerability with OpenSSL does NOT require new SSL certificates to be deployed.

We will update this article with more information as it becomes available so check back regularly.

If you wish to discuss this, there is an active thread on the User Bulletin Board (for UTM) and SophosTalk Forums (for other network security products).

Update:

More information on the vulnerability, other products affected and how you can protect yourself, are outlined in our latest blog article on this subject.