OpenSSL Man-in-the-Middle vulnerability: Sophos Product Status

On June 5th 2014, multiple new OpenSSL vulnerabilities were disclosed including CVE-2014-0224. Like the recent Heartbleed vulnerability this is a serious bug in the software responsible for encrypting traffic on the internet and is a widespread issue. Users are advised to ensure that their solutions are fully patched to protect against this bug. Fortunately, at the time of writing, there are no known in-the-wild attacks.

The CVE-2014-0224 vulnerability
This newly discovered vulnerability is linked to a flaw in the origin of the code in 1998. Almost all versions of OpenSSL are vulnerable, and if they are exploited it can result in communications being disclosed to a man-in-the-middle attack. However, the flaw relies on both the client and the server running vulnerable versions of OpenSSL and the server version being 1.0.1 or higher to be exploited. For more information on this threat, read our Naked Security article.

Sophos product status
Having audited all our solutions, we believe that only the below products are affected. We are working on fixes for all of them with the highest priority:

  • Sophos Cloud
  • Sophos UTM v9.2
  • Sophos UTM v9.1
  • Sophos UTM v8.3
  • SUM v4.1/4.2
  • Sophos Web Appliance v3.9.x.x
  • Sophos Email Appliance v3.7.x.x
  • PureMessage for UNIX

For further information on affected Sophos products, including patch availability, read the Knowledgebase article.

Many security products include OpenSSL for cryptographic functions and may also be vulnerable. Check with all of your security providers to be sure these flaws are being addressed.

How to stay secure

1. Patch early, patch often
A wide range of organizations are affected by this issue. Many programs will be issuing updates over the coming weeks. Watch out for the patches and apply them as soon as you can. As general best practice we always recommend ensuring your solutions are fully patched and up-to-date.

2. Always use a VPN and don’t trust open WiFi hotspots
In order to perform a man-in-the-middle attack the aggressor needs to be between you and the server you are communicating with. For most of us, this means we are most vulnerable when using unencrypted public WiFi. To avoid putting yourself at risk always use a VPN or a secure WiFi connection for important communications.