Is SafeGuard Enterprise affected by the recently identified OpenSSL leak in versions 1.0.1 to 1.0.1f (cve-2014-160)?

  • Article ID: 120846
  • Rating:
  • 1 customers rated this article 6.0 out of 6
  • Updated: 28 Nov 2014

Is SafeGuard Enterprise affected by the recently identified OpenSSL leak in versions 1.0.1 to 1.0.1f (cve-2014-160)? Designated cve-2014-160: https://www.openssl.org/news/secadv_20140407.txt

Applies to the following Sophos product(s) and version(s)

SafeGuard Management Center / Local Policy Editor
SafeGuard Enterprise Server

Information

While SafeGuard Enterprise uses some modules of OpenSSL, the affected functionality is not used at all in the SafeGuard Enterprise Server, SafeGuard Enterprise Management Console, or the SafeGuard Enterprise Client for Windows. All these use the Windows TLS implementation and are therefore unaffected.

On SafeGuard for Mac Clients the affected code is used by one helper process that is responsible for communication with the SafeGuard Enterprise Server. However, this process runs with restricted privileges and only transfers files it does not understand between the SafeGuard Enterprise Server and the SafeGuard for Mac Client. Any key material in such files is encrypted with keys that are unrelated to the SSL connection. The affected process therefore has no useful information that an attacker could extract.

Nevertheless, in the next SafeGuard Enterprise release all OpenSSL instances will routinely be updated to the latest version.

Related articles:

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments