Hi XG Community!
We've released XG Firewall hotfix "HF051220.1".
What does this hotfix contain?
After recent hotfixes to address the SQL injection vulnerability and password reset for the XG Firewall/SFOS (Refer KBA135412), this hotfix HF051220.1 adds a CLI option to change select configuration based on customer requirements:
1) If the customer configuration requires, you can now disable captcha for the webadmin and user portal when they are exposed on the VPN zone.
- Captcha authentication serves as an extra security defense against scripted automated login attempts, but depending on special customer configurations it may need to be disabled. Best recommendation is to call Sophos Support to guide you through this if you think it is needed.
- Disabling captcha is done via CLI command: console> system captcha_authentication_VPN enable/disable/show
- If VPN has been configured as site-to-site IPSec with remote network configuration as "ANY", you will also need to add an IPsec route to turn off captcha for specific VPN host/network.
- Example:
- console> system ipsec_route add host <50.50.50.1> tunnelname <mytunnel>
- console> system ipsec_route add net <10.10.10.0/255.255.255.0> tunnelname <mytunnel>
- Example:
- If VPN has been configured as site-to-site IPSec with remote network configuration as "ANY", you will also need to add an IPsec route to turn off captcha for specific VPN host/network.
2) If the administrator of the XG Firewall(s) had previously changed passwords after the hotfix was applied on April 25, 2020, you can now turn off mandatory password reset pop-up
- As an additional security measure related to vulnerability CVE-2020-12271, the password reset is shown only on an XG Firewall that was identified as impacted. For more information see KBA135412.
- If you have already changed passwords since 2200 UTC on April 25, 2020, for the administrator and any users with administrator privilege, you may want to turn off this mandatory password reset.
- Disabling password reset is done via CLI command: console> system mandatory_password_reset disable/show
Which firmware versions would receive the hotfix?
- All supported versions: v17.0, v17.1, v17.5 and v18 GA
How can I confirm that my firewall has received the hotfix?
- Firmware version on XG Firewall webadmin control center will show "HF051220.1" appended to the SFOS build number.
- Example - "SFOS 18.0.0 GA-Build379.HF051220.1"
How can I ensure that I receive the hotfix?
If you have disabled “Allow automatic installation of hotfixes”, please reference the following KBA for instructions on how to apply the required hotfix: https://community.sophos.com/kb/en-us/135415
Note: Customers managing XG Firewalls with either Sophos Firewall Manager (SFM) or Central Firewall Manager (CFM) need to verify each firewall has an active connection with firewall management to receive critical updates. These steps are not required for Sophos Central managed devices.