Sophos products are not at risk from the latest OpenSSL bug

You may have seen the OpenSSL team announced, on Monday 2015-07-06, that it had a “high severity” update coming out in three days’ time. The update was published Thursday 2015-07-09. The update is out, and our verdict is that the bug isn’t as bad or as widespread as we feared at first.

Simply explained, CVE-2015-1793 is a certificate verification flaw. This means that crooks who can lure or misdirect you to a bogus website (or email server, or indeed any internet service using TLS/SSL for its security) may be able trick you into thinking that you are somewhere legitimate and secure. As you probably know, TLS/SSL relies on a “chain of trust” formed by cryptographic certificates. This chain of certificates reassures you that the secure website you are visiting really does belong to the organisation you expect. This latest bug in OpenSSL means that a crook may be able to create a certificate in someone else’s name, and then to sneak it past OpenSSL’s certificate verifcation process without triggering a warning, even though the certificate isn’t signed by a trusted CA. 

That makes a man-in-the-middle (MiTM) attack feasible, where a crook intercepts your traffic, say to a social networking site; feeds you a fake login page with a fake HTTPS certificate; and convinces you to give away your password because the warnings that ought to prevent the phishing deception never show up. Fortunately, the scope of this bug is narrower than we feared after reading Monday’s OpenSSL advisory. First, this bug doesn’t give cybercrooks the ability to steal data or break into your servers directly. 

The good news is no Sophos products are at risk from this bug. Only the current pre-release Beta version of Sophos Management Communication System (MCS 3.0.0 Beta), a component used by Sophos Cloud and UTM Endpoint products, includes an affected version of OpenSSL. However, MCS does not use the relevant part of the OpenSSL code for certificate verification, so cannot fall foul of the bug. Nevertheless, we expect to update MCS 3 Beta with the latest OpenSSL version by mid-August 2015. All other Sophos product families either don’t use OpenSSL at all, or use one of the unaffected versions. 

For more information see the links below. If you have any questions please contact your account manager in the first instance. 

Learn more about OpenSSL CVE-2015-1793 (Naked Security) 

See the latest Sophos support information (KBA)

You can read the original article, here.