On 7th April 2014 a critical vulnerability was found in OpenSSL. This article provides information for Sophos customers and how our products are impacted and steps required to fix the vulnerability.
Important: This article may continue to be updated with further advice. We therefore recommend you check back regularly for new information.
Applies to the following Sophos product(s) and version(s)
Sophos Anti-Virus for VMware vShield
What is the vulnerability?
The official CVE is tracked here and mentions versions of Open SSL used in some Sophos products (see below).
The vulnerability described uses a TLS heartbeat read overrun which could be used to reveal chunks of sensitive data from system memory of any system worldwide running the affected versions of OpenSSL - but only exposed services are immediately affected, as the bug allows to be read from the processes own memory.
For more information read our naked security blog article on the issue: Anatomy of a data leakage bug - the OpenSSL "heartbleed" buffer overflow
What versions of Open SSL are affected?
1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.
What products are affected and how is the vulnerability fixed?
The table below lists all the affected Sophos products. Important: Though other products may use SSL these are not affected and no action is required.
If you use one or more of the products mentioned below use the table to guide you on what is required.
|Sophos Product ||Steps to fix |
|UTM 9.1 || |
A patch is available for the vulnerability in UTM 9.1. The overview steps are:
- Install the patch
- Print your configuration
- Reboot the UTM
- Regenerate certificates
- Change your passwords
For detailed instructions see article 120851.
|UTM 9.2 |
|UTM LiveConnect Servers ||Patched April 9, 2014. |
|UTM Manager 4.105 || |
Patched in 4.106-2, available now.
To apply the patch proceed as follows:
- Log into the SUM WebAdmin on port 4444 (not Gateway Manager which is by default on port 4422)
- Navigate to Management | Up2Date | Overview and use 'Update to latest version now' to install the Firmware Up2Date
- Click on the 'Watch Up2Date Progress in new window' and an extra browser window will show the progress of the Up2Date installation (The System administrator will receive a notification email once the Up2Date process has finished)
Alternatively you can download the Up2Date package from our FTP Server and install it under Management | Up2Date | Advanced:
First update from 4.105 to 4.106:
Download SUM 4.106 (MD5)
Second update from 4.106 to 4.106-2:
Download SUM 4.106-2 (MD5)
|SAV for vShield || |
A new version of the installer, version 1.1.6 ,has been made available to address the vulnerability and can be downloaded here.
Sophos AntiVirus for VMware vShield version 1.0 customers:
Please upgrade to version 1.1.6 which includes an uninstall and install wizard to assist with the upgrade. Please see the Sophos Anti-Virus for VMware vShield upgrade guide for step by step information on how to upgrade.
Sophos AntiVirus for VMware vShield version 1.1.4 customers:
- Address the vulnerability immediately by downloading and installing the new SAV for Vshield 1.1.6 installer from the MySophos downloads webpage.
- Wait for the update which will be automatically applied to your existing implementation on or shortly after April 22nd. This is part of the normal monthly update process for Sophos AntiVirus software, and no manual intervention is necessary.
Note: For information on VMware products and OpenSSL vulnerability status see VMware’s security advisory - http://www.vmware.com/security/advisories/VMSA-2014-0004
| Sophos Cloud ||We patched cloud.sophos.com immediately to protect against the vulnerability and have seen no evidence that the platform has been attacked. As per industry standard guidance we encourage you to update your cloud.sophos.com password as an extra precaution. |
For information relating the vulnerability to other Sophos products see:
There are three primary requirements to patch the OpenSSL vulnerability, protect yourself from any future exploit attempts and to mitigate any security vulnerabilities if your certs have already been compromised
- Apply the OpenSSL Patch
- Regenerate all SSL certs
- Change all passwords
Where do I get the Patch and instructions to Renegerate all SSL Certs?
The currently available patches for UTM are listed in article Heartbleed: Recommended steps for UTM. We will add details on other patches as soon as possible. Check back for updates.