Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

OpenSSL vulnerability CVE-2021-3449/CVE-2021-3450

BWCBWC Cybersecurity Overlord ✭✭✭
in Secure Mobile Access Appliances

Hi,

considering the fact that the SMA 100-series is running OpenSSL 1.1.1i, what is the impact of the two new high-severity vulnerabilities discovered and fixed in OpenSSL 1.1.1k?

https://www.bleepingcomputer.com/news/security/openssl-fixes-severe-dos-certificate-validation-vulnerabilities/

This is not limited to SMA 100-series, every other platform using OpenSSL is affected as well.

When can we expect a patch for all related products?

--Michael@BWC

Category: Secure Mobile Access Appliances
Reply

Comments

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Is disabling TLS v1.2 and having only TLS v1.3 a valid mitigation until a fixed Firmware is available, because it seems to be TLS v1.2 related?

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    How to follow this advice SNWL?

    https://us-cert.cisa.gov/ncas/current-activity/2021/03/26/openssl-releases-security-update

    --Michael@BWC

  • MicahMicah SonicWall Employee

    Checking on this.

    @micah - SonicWall's Self-Service Sr. Manager

  • JohnStevoJohnStevo Newbie ✭

    Hello, Any reply on these advisories please? been 3 days since last update

  • JohnStevoJohnStevo Newbie ✭

    Hello, please find comments for anyone interested after support case logged with SonicWALL for SMA series..

    From SonicWall Technical support. I have taken the ownership of your case. The High severity OpenSSL vulnerabilities: CVE-2021-3450, CVE-2021-3449 will be fixed in upcoming firmware releases : 10.2.0.8, 10.2.1.0-12sv Thank you

    Subsequently have re-requested additional answers to original support case comments regards timescales of release and any mitigating actions which can be configured pre firmware release.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Thanks @JohnStevo for the information and clearing this up with Support. Noone at SNWL saw the need to chime in here.

    Let's sit back, wait and hope for the best.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Because still nothing from SNWL, it seems that disabling TLSv1.2 as I mentioned before is a short term Mitigation?

    https://nakedsecurity.sophos.com/2021/03/28/serious-security-openssl-fixes-two-high-severity-crypto-bugs/

    --Michael@BWC

  • JohnStevoJohnStevo Newbie ✭

    @BWC We have received an update of a workaround from SonicWALL bizarrely from the GMS team (to whom we asked the same question regards OpenSSL) but relating to the SMA's..

    - OpenSSL vulnerabilities: CVE-2021-3450, CVE-2021-3449 will be fixed in upcoming firmware releases: 10.2.0.8, 10.2.1.0-12sv… -disabling TLS v1.2 and only having TLSv1.3 is a workaround for now and be sure to reboot after the change

    Hope this helps..

  • BWCBWC Cybersecurity Overlord ✭✭✭

    It made it to the SNWL Security Blog 👏

    https://securitynews.sonicwall.com/xmlpost/march-2021-openssl-vulnerability/

    @Micah still checking?

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Just checking, anything new on this?

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    The Private build I've got for my Radius thingy already contains OpenSSL 1.1.1k, so it's in the works. @Micah , in case someone asks.

    Next stop, dedusting the rest of the system. <fingerscrossed> 🤣

    --Michael@BWC

Sign In or Register to comment.