18 Jun 2019

Hi XG Community!

We've released SFOS v17.5.6 MR6 for the Sophos XG Firewall. Initially, the firmware will be available by manual download from your MySophos account. We then make the firmware available via auto-update to a number of customers, which will increase over time.

Please visit the following link for more information regarding the upgrade process: Sophos XG Firewall: How to upgrade the firmware.

Guidance on recently discovered security vulnerability in Exim email server

Exim is used by XG Firewall v17.5, specifically if a customer has enabled Email Protection. On Friday 7 June 2019, Sophos released and automatically applied an over the air hotfix to all XG Firewalls with auto-updates enabled to address this issue. If your XG Firewall does not have auto-updates enabled, upgrading to 17.5 MR6 release could resolve the issue. Alternatively, you can review KB134199.

What's New in XG Firewall v17.5 MR6

Radius SSO authentication between XG and APX

Wireless users can be authenticated using Radius SSO between XG and APX. Now supports framed IP addresses in client accounting messages.

Issues Resolved in SF 17.5 MR6

NC-40785 [API Framework] Incorrect data types and values in API documentation
NC-44687 [API Framework] Unable to update webadmin settings when WAF rule with port 80 is configured
NC-43933 [Authentication] csd not cleaning up stale connections
NC-45077 [Authentication] Some LDAP users are not associated with the expected group
NC-45283 [Authentication] Memory leak in access server
NC-46024 [Authentication] Guest user registration is not working after upgrading to 17.5 MR4
NC-46572 [Authentication] Race condition in access server when setting authserverid
NC-44178 [Backup-Restore] Unnecessary selection button when downloading backup without encryption password
NC-45532 [Clientless Access] Clientless SMB Bookmark - Unable to upload files in a folder or share with an apostrophe
NC-39353 [Core Utils] Brazilian timezone and DST problem
NC-40924 [Core Utils] ATP patterns filling up /content/ folder
NC-43506 [DHCP] Established connection is destroyed when dynamic WAN interface gets configured
NC-46351 [DHCP] DHCP service dies on firmware upgrade
NC-43624 [Dynamic Routing (PIM)] Coredump from pimd while applying interfaces in pim-sm in HA-AA case
NC-41225 [Email] Assertion while scanning mail with custom file mime type
NC-42752 [Email] Issues with certificate chain
NC-42986 [Email] Mail application usage reports shows 0bytes for POP and IMAP
NC-43179 [Email] Mails stuck in queue when email id contains '='
NC-43285 [Email] Filtering for bounced mails freezes mail log page
NC-43399 [Email] "DKIM: validation of body hash failed" when DKIM signed mail gets forwarded by XG
NC-43445 [Email] Mails are split in different header information and hang in spool
NC-43539 [Email] Unable to access appliance after restoring backup
NC-44131 [Email] Core dumps in smtpd while deleting mail from mail spool page
NC-44490 [Email] Unable to use CAs with ECC certificates
NC-44559 [Email] Conan engine does not get upgraded on migration
NC-44662 [Email] Mails with folded headers might not be processed correctly
NC-45144 [Email] Exim complaining about illegal header file
NC-45223 [Email] Unable to filter mail log with some special russian characters
NC-46145 [Email] Email notification using external mail server not working after upgrading to 17.5 MR4
NC-42902 [Firewall] IPsec traffic flows only after REKEY event
NC-44344 [Firewall] Not able to enable IP Spoofing on more than 18 zones
NC-46188 [Firewall] GUI icons broken in firewall rules
NC-44083 [Hotspot] Hotspot voucher created in HA setup is expired and has used data attached to it
NC-38688 [IPsec] Sporadic connection interruption to local XG after IPsec rekeying
NC-41631 [IPsec] Tunnel not established in HA setup
NC-43220 [IPsec] Unable to use "Reset" button on Sophos Connect settings page
NC-43898 [IPsec] Improve udp/500 firewall rule activation
NC-44072 [IPsec] Charon timeout while starting on small appliances with 20+ IPsec tunnels and auth type 'rsa'
NC-44240 [IPsec] XG not accepting MODP_1024 DH during IKE negotiations
NC-44016 [Logging Framework] Garner segfault in Central Management plugin of garner
NC-44693 [Logging Framework, SecurityHeartbeat] Reports are not being generated
NC-45339 [Logging Framework] Assertion fail in garner causing RED clients to disconnect
NC-46535 [Logging Framework] Memory leak in notification plugin
NC-44531 [nSXLd] nSXLd connection handling improvements
NC-46117 [Policy Routing] Traffic passing through IPSec link though policy route (MPLS) has high priority
NC-30294 [PPPoE] PPPoE interface graph is showing incorrect bandwidth information
NC-33657 [SFM-SCFM] API output shows "Configuration parameters validation failed"
NC-44007 [SFM-SCFM] Error message on GUI: SSOD is stopped
NC-44562 [SFM-SCFM] Backup snapshot has not been restored from SFM when SF having encrypted password for backup
NC-43684 [SNMP] libsnmp segfaults for "AVVERSION Get"
NC-44695 [SSLVPN] Unable to connect via SSL VPN after migrating from CROS
NC-46253 [SupportAccess] Backport: Cannot connect to WebAdmin via SupportAccess
NC-43936 [UI Framework] Guest Users page not loading after deleting the last page of available Guest Users
NC-44018 [UI Framework] Type of icon should be drop-down instead of icon of increase-decrease
NC-44283 [UI Framework] Cannot load Connection Details page of an IPsec VPN connection when Chinese characters are used in local/remote host configuration
NC-45358 [WAF] Privilege escalation from modules' scripts (CVE-2019-0211)
NC-45544 [WAF] Reduce memory footprint
NC-45974 [WAF] URL normalization inconsistency (CVE-2019-0220)
NC-46104 [WAF] HTML rewriting in large embedded CSS causes appliance to reboot due to OOM
NC-46810 [WAF] NULL pointer dereference in mod_proxy_html
NC-43970 [Web] Policy editor window doesn't close when new policy created
NC-44089 [Web] Backslashes not properly escaped on User Activities page
NC-44228 [Web] Web categorization fails randomly
NC-44609 [Web] Incorrect parsing of DNS responses leads to 502 errors
NC-45020 [Web] Memory leak in sandbox pending page
NC-45094 [Web] SSL scan not on in case of force_ntlm on transparent connection
NC-27524 [Wireless] Restoring backup of Cyberoam 10.6.5050 GA not working when WLAN is configured
NC-45088 [Wireless] Selective export of WirelessNetworks with dependencies does not contain any dependencies
NC-45405 [Wireless] Country field for AP shown empty while accepting it with multple pending APs
NC-46142 [Wireless] SSID deleted but WiFi interface remains

Download

To manually install the upgrade, you can download the firmware from the MySophos portal. Please refer to Sophos XG Firewall: How to upgrade the firmware.

The Do over 4 years ago

Why can't i see MR6 in download page?
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Mohd Fairus Shamsuddin over 4 years ago

this firmware has fix issues VPN?
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
IT Admin6 over 4 years ago

17.5.6 have problem with HA normally fail-over just took like few ping drop but 17.5.6 wait for 1 minutes before it recover.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
marco_47d over 4 years ago

When i reed some comments it looks like the 15.5.6 is little buggy. Lost of DHCP, Performance Issues and lost of traffic shaping policy makes me not realy motivated to fo to 15.5.6. Are these problems realy confirmed ?
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
IT Admin6 over 4 years ago

HA seem to take longer than expected when fail-over after update to 17.5 MR6, before this used to be few ping to recover.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel

SFOS 17.5 MR6 Released

What's New in XG Firewall v17.5 MR6

Issues Resolved in SF 17.5 MR6

Download