SD-RED Firmware 3.0.009 pattern update released

24 May 2023

Overview

We have just launched version 3.0.009 of the RED firmware pattern update. You can download and install the firmware right away. This release is a maintenance update that features essential security updates. The update includes improvements to multiple RED firmware components that address various open CVEs related to those components. Not all of the CVEs, however, affected vulnerabilities on SD-RED devices. Apart from the security enhancements, this firmware update also addresses multiple issues.

Security Fixes

Issue Key	Summary
NRF-633	WiFi mac80211 vulnerabilities : CVE-2022-41674, CVE-2022-42719, CVE-2022-42720, CVE-2022-42721, CVE-2022-42722
NRF-616	Base Ubuntu vulnerabilities: CVE-2022-1012 CVE-2022-20368 CVE-2022-36946 CVE-2022-32296
NRF-614	Address the following vulnerabilities in ncurses library: CVE-2017-10684, CVE-2017-16879, CVE-2018-19211, CVE-2019-17594, CVE-2019-17595, CVE-2021-39537, CVE-2022-29458
NRF-607	SD-RED pcre3 vulnerabilities: CVE-2019-20838, CVE-2020-14155
NRF-603	Address vulnerabilities in the curl component by upgrading it to 7.86.0: CVE-2022-32221, CVE-2022-35260, CVE-2022-42915, CVE-2022-42916.
NRF-601	Upgrade the zlib component to address the vulnerability: CVE-2018-25032 and CVE-2022-37434.

Issues Fixed

Issue Key	Summary
NRF-630	RED failover to integrated 4G module fails intermittently.
NRF-639	4G modules on SD-RED devices do not work when the default IP assignment type is IPv6.
NRF-641	Intermittent traffic disconnection even though the SD-RED 60 tunnel is active.
NRF-635	Intermittent image upgrade issues are seen on SD-RED 20 with 3.0.008 image

Install Instructions

On Sophos Firewall web UI, navigate to Backup & Firmware > Pattern Updates.
If the RED Firmware version is older than this release, click Update Pattern Now.
When ready to deploy new firmware to connected SD-RED devices, click Install.
(SD-)RED devices will be rebooted during the firmware installation process

Supported Platforms

SFOS v18.5MR4+
SFOS v19GA+
SFOS v19.5GA+

10 comments
0 members are here

juergenb52 over 2 years ago

The upgrade of a recovered (bricked) SD-RED 20 went smoothly. Had no issues. NRF-635 seems fixed..
Cancel
Vote Up +2 Vote Down
1
- Tejas Kashyap over 2 years ago in reply to juergenb52
  
  Thanks for the update.
  Cancel
  Vote Up 0 Vote Down
  - Arvin Velasco Carlos over 2 years ago in reply to Tejas Kashyap
    
    Hi, We have a Xg firewall on Azure with ver 18.5.1 MR-1-Build326 with Red firmware version 3.007 for 20+ branches using SDRED 20 and SDRED 60, We are planning to uprade to SFOS 19.5.1 MR1-Build278, we learned that there is a bug; )NRF-635 Intermittent image upgrade issues are seen on SD-RED 20 with 3.0.008 image) will bricked all the SD-RED 20's? Can we skipped the 3.008?, upgrade to SFOS to 19.5, then install the 3.009 firmware? is this possible?...
    Cancel
  - Tejas Kashyap over 2 years ago in reply to Arvin Velasco Carlos
    
    Hi Arvin. Thanks for reaching out.
    
    Since RED firmware 3.0.008 is already downloaded but not installed on your setup, we would prefer you upgrade RED firmware first.
    
    RED firmware upgrade to 3.0.008 on v18.5MR1-326 > SFOS upgrade to 19.5.1.MR1-278 > RED firmware upgrade to 3.0.009 is the suggested sequence.
    
    Also, since 3.0.009 has not been released for 18.5MR1, upgrading RED first and then upgrading SFOS to receive the firmware upgrade.
    Cancel
    Vote Up 0 Vote Down
  - Arvin Velasco Carlos over 2 years ago in reply to Tejas Kashyap
    
    Thanks a lot, alright, we will proceed with these suggested approach, we are just worried because our RED's are deployed geographically wide and it is very hard for our team to deal with the bricked RED that will cause by firmware 3.008 upgrade ..
    Cancel
    Vote Up 0 Vote Down
Glenn2050 over 2 years ago

XGS 3100 HA cluster says "Failed to install RED firmware" and there's nothing in the logging at all?

Already did a node fail over without any result. These products getting worse and worse. Even a simple flush of an ARP table when your cluster is failing over is too hard for Sophos! Sophos needs six months to reproduce this issue says they fixed it and it's back in 19.5.2MR2

Good job Sophos!
Cancel
Vote Up 0 Vote Down
- wlogic over 2 years ago in reply to Glenn2050
  
  What's the current status of your failed RED firmware update?
  Cancel
  Vote Up 0 Vote Down
- Nafets over 2 years ago in reply to Glenn2050
  
  Same error with XG550 Cluster:
  
  Firmware seems ready to install:
  
  Then click on it:
  
  Now it is downloading again
  
  No information in the logfiles about that.. gg
Alexandre Rastello over 2 years ago

Hi,

Already did not have VLAN option ON THE UPLINK CONNECTION!!

Some ISPs configure VLANs on their routers to provide different connection services (Surfing, VoIP, MPLS). It is necessary to be able to configure the uplink connection with a VLAN tag.

It seems to me that Sophos does not listen to requests for modifications...

Alexandre Rastello | IT Consultant | Special Projects | Sophos Architect
- Glenn2050 over 2 years ago in reply to Alexandre Rastello
  
  How about the lag of PPPoE support on the SD-RED 20/60..... They are saying coming soon on support of the VDSL SFP module for SD-RED since a couple of years....