Hi Community! We have released RED firmware pattern update version 3.0.007. The firmware is immediately available for download and update. This is a maintenance release with several important security updates. A number of RED firmware components were updated, that collectively address a large number of open CVEs relevant to those components, though not all of the CVEs result in vulnerabilities on RED devices. 

News:
Maintenance Release

Security fixes:

  • NRF-513 Address  Frag Attack vulnerabilities in RED devices (CVE-2020-24586, CVE-2020-24587, CVE-2020-24588, CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26142, CVE-2020-26143, CVE-2020-26144, CVE-2020-26145, CVE-2020-26146, CVE-2020-26147)
  • NRF-514 Address open CVEs in openssl (CVE-2020-1971, CVE-2021-23840, CVE-2021-23841)
  • NRF-515 Upgrade libcurl version to 7.76.1 to address open CVEs (CVE-2021-22898, CVE-2021-22924, CVE-2021-22925)
  • NRF-510 Upgrade dnsmasq to v2.85 (CVE-2020-25670, CVE-2020-25671, CVE-2020-25672, CVE-2020-25673,CVE-2021-29155, CVE-2021-3501)
  • NRF-516 Address open CVEs in binutils utility 

Bugfixes:

  • NRF-509 Fix issue where AP was not registering over RED15w tunnel
  • NRF-517 Fix issue where SD-RED60 LAN switch VLAN configuration was lost after some time 

Install Instructions

  • On Sophos Firewall web UI, navigate to Backup & Firmware > Pattern Updates.
  • If RED Firmware version is older than this release, click Update Pattern Now
  • When ready to deploy new firmware to connected SD-RED devices, click Install
  • RED devices will be rebooted during firmware installation process

  • *only SD-RED devices (SD-RED 60 and SD-RED 20) or it will also update RED-50, RED-15.. devices?

  • Hi Alan. If I ran pattern update 3.0.007 from UTM, will it update on SD-RED devices (SD-RED 60 and SD-RED 20) or it will also update RED-50, RED-15.. devices?

  • Keep an Eye on the Release Notes Section of UTM. As UTM need a new firmware release, it generally speaking takes longer to develop this for UTM. SFOS can use a own channel for RED/AP Firmware. 

  • we've had a HA Failure shortly after this event oun our XG.

    Somewhere in the same time, I uploaded a Firmware via GUI.

    But this looks unhealthy. 12:14 we've had the HA failure

    BUG     Oct 12 11:58:19 [31046]: Received releasenotes : https://d3tusa5dvomhzy.cloudfront.net/CHANGELOG/18.5.1.326.releasenotes
    DEBUG     Oct 12 11:58:19 [31046]: Received message : Sophos Firewall MR Release
    DEBUG     Oct 12 11:58:19 [31046]: Received releasedate : 2021-08-09
    DEBUG     Oct 12 11:58:19 [31046]: Received name : redfw_2.00_3.0.007.tar.gz.gpg
    DEBUG     Oct 12 11:58:19 [31046]: Received location : https://d30ncyzaneb4q0.cloudfront.net/redfw_2.00_3.0.007.tar.gz.gpg
    DEBUG     Oct 12 11:58:19 [31046]: Received version : 3.0.007
    DEBUG     Oct 12 11:58:19 [31046]: Received size : 69390245
    DEBUG     Oct 12 11:58:19 [31046]: Received md5sum : 25c1a5899ffbab1ce2f1a1e00e2ff17b
    DEBUG     Oct 12 11:58:19 [31046]: Received module : redfw
    DEBUG     Oct 12 11:58:19 [31046]: Received cv : 2.00
    DEBUG     Oct 12 11:58:19 [31046]: Received type : full
    WARNING   Oct 12 11:58:19 [31046]: A new update is available for redfw but we are ignoring it as download for a previous update is in progress.
    DEBUG     Oct 12 12:01:17 [9067]: --serial = xxxxx
    DEBUG     Oct 12 12:01:17 [9067]: --deviceid = xxxxx
    DEBUG     Oct 12 12:01:17 [9067]: --fwversion = 18.0.5.586
    DEBUG     Oct 12 12:01:17 [9067]: --productcode = CN
    DEBUG     Oct 12 12:01:17 [9067]: --model = XG430
    DEBUG     Oct 12 12:01:17 [9067]: --vendor = WP02
    DEBUG     Oct 12 12:01:17 [9067]: --pkg_sysupdate_version = 4
    DEBUG     Oct 12 12:01:17 [9067]: Added new server : Host - eu-west-1.u2d.sophos.com., Port - 443
    DEBUG     Oct 12 12:01:17 [9067]: Added new server : Host - ap-northeast-1.u2d.sophos.com., Port - 443
    DEBUG     Oct 12 12:01:17 [9067]: Added new server : Host - us-west-2.u2d.sophos.com., Port - 443
    DEBUG     Oct 12 12:01:17 [9067]: --u2d_proto = 1.50
    DEBUG     Oct 12 12:01:17 [9067]: Final query string is :
    ?&serialkey=xxxxx&deviceid=xxxxx&fwversion=18.0.5.586&productcode=CN&appmodel=XG430&appvendor=WP02&useragent=SF&oem=&pkg_sysupdate_version=4&u2d_proto=1.50
    DEBUG     Oct 12 12:01:19 [9067]: Response code : 503
    DEBUG     Oct 12 12:01:19 [9067]: Response body :
    <?xml version="1.0" encoding="iso-8859-1"?>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
             "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
     <head>
      <title>503 Service Unavailable</title>
     </head>
     <body>
      <h1>503 Service Unavailable</h1>
     </body>
    </html>
    
    DEBUG     Oct 12 12:01:19 [9067]: Response length : 361
    ERROR     Oct 12 12:01:19 [9067]: Received invalid top level tag html, expecting Up2Date
    ERROR     Oct 12 12:01:19 [9067]: FATAL : Error in parsing response, exiting.
    Tue Oct 12 12:16:27 2021 init: Current up2date schema 18 for module atp present in public.tblup2dateinfo, updating...
    Tue Oct 12 12:16:27 2021 init: Previous versions for atp were cv=1.00, version=1.0.0381
    Tue Oct 12 12:16:27 2021 init: Succesfully updated atp details for up2date schema 18 in public.tblup2dateinfo.
    Tue Oct 12 12:16:27 2021 init: /content/atp is already pointing to correct /content/atp_1.00/1.0.0381

  • When will the update for the UTM be made available ?