Sophos XG 17.5 MR12 Mandatory Password Reset Page???

We updated our Sophos XG Firewall to the latest firmware (17.5 MR12) last week. One of the local administrators logged in today to monitor the firewall and this appeared. 

 

Is this legitimate or can anyone send me an article about this from Sophos?

 

We already reset our local and device administrator password last April 2020 and again they are requiring us to change again our passwords.

 

Thank you in advance for those who will help. God bless us all.

  • Hello, 

    We are running Sophos XG with Firmware 17.5 MR-11 . 

     

    Today we saw the same screen "Mandatory Password reset" on our firewall. 

     

    Can anyone please confirm that this is legitimate action by Sophos pushed by the Company itself. because we got no information from Sophos.

     

    we would like to mention that our device was recently compromised and patched by Sophos against the recent "SQL Injection" attack. and we already have changed our password according to the given KB.

  • In reply to FaheemSarwar:

    I've seen the email that came out from Sophos yesterday about this, but I've not seen this screen pop up yet.

     

    The email made it sound like it was only going to effect people that hadn't changed the admin password yet, but if it's going to affect people that have already sorted that out that isn't very good.

     

    Regards

     

    PS: Just had this pop up on my home XG (which wasn't touched) - it might be that they now require a complex password which perhaps your previous one didn't meet the requirements for.

  • In reply to carbon15:

    My account always follows password complexities.

     

    As per checking I have changed my password last 27 April 2020 with a very complex one. 

     

    I didn't understand why I have to this again.

  • I have seen this on their update yesterday. The problem is they didn't explained it too well that this will be it hahaha.

  • In reply to S023A:

    Hi,

    Sophos remotely enabled password restrictions on XG. Therefore, you probably need to change your passwords.

    Regards
    Jan

  • In reply to S023A:

    Same over here:

    - Password changes done on April 27th

    - New password matches policy

     

    So let's do the whole stuff one more time for all affected customers...

     

    I'm also wondering how Sophos pushed all these changes (Password complexitiy rules & Captcha on admin web interface) to the firewalls? Has the hotfix been modified and reapplied? Or how does Sophos have the possibilty to do such extensive changes on default behaviour?

  • Agreed, this is absurd. We reset all our local users' passwords the same weekend that the advisory was published and don't intend to reset them all over again unless the initial mitigation was not sufficient to stop data exfiltration.

    Does anyone know if there's a way to undo these forced password reset flags?

  • In reply to FaheemSarwar:

    Hi All,

    Sophos is enforcing a password reset for the XG administrator and all other local administrator accounts that have not reset passwords since the security hotfix was applied at 2200 UTC on April 25, 2020. Where required, administrative accounts will be prompted to change passwords upon logging into an XG Firewall. The password reset is shown only on an XG Firewall that was identified as impacted AND the password has not been changed since 2200 UTC on April 25, 2020.

    Admins will still receive the password reset request even if multi-factor authentication is enabled. The last date/time check for the password change is determined locally on the firewall from logged events. In the event a positive determination cannot be made, admins will be forced to change their password.

  • In reply to FloSupport:

    Hi Flo,

    Thank you for explaining this to us.

    You have mentioned that the mandatory password reset is for firewalls that are affected and the password has not been changed since 2200H UTC on April 25,2020.

     

    As per my understanding it is an AND statement not an OR statement.

     

    We've have already changed our password last 26th of April as per checking via Admin events thus removing us from the coverage bracket of the AND statement above. 

     

    I am really wondering why I myself or my other teammates will still again redo this even if we areaare done with it and followed the recommendations that you have provided on KB.

  • In reply to FloSupport:

    Is there a way to remove the "password reset required flags" manually? (We reset the passwords after the hotfix had been applied to our firewall but before the Sophos cutoff time of 22:00 UTC, when the hotfix had been applied to all hotfix-enabled firewalls.)

  • In reply to S023A:

    Apologies for the any inconvenience caused by this enforced password reset.

     

    Hi 

    That is correct that this is an AND statement. Could you please raise a case and PM me with the case number for further investigation of your situation?

     

    Hi  

    Unfortunately for security purposes, there is no way to skip this enforced password reset.

     

    Regards,

  • In reply to FloSupport:

    Hi  

    I already filed a case today and waiting for the email to come in for the case number. I will send it to you.

  • every time I try to change my password via the pop up box it says incorrect current password which I know is untrue because if I log out and sign in with that password I get in successfully. I also tried manually resetting my password and but even after that, when accessing my firewall it ask to change password again and same problem

  • In reply to Ryan McClarin-Truss:

    Hi  

    Please refer to the article -https://community.sophos.com/products/xg-firewall/b/blog/posts/xg-firewall-hotfix-hf051220-1-released and for more information, you may raise a support request to investigate the issue further.