Hi XG Community!

We've released XG Firewall hotfix "HF051220.1".

What does this hotfix contain?

After recent hotfixes to address the SQL injection vulnerability and password reset for the XG Firewall/SFOS (Refer KBA135412), this hotfix HF051220.1 adds a CLI option to change select configuration based on customer requirements:

1) If the customer configuration requires, you can now disable captcha for the webadmin and user portal when they are exposed on the VPN zone.

  • Captcha authentication serves as an extra security defense against scripted automated login attempts, but depending on special customer configurations it may need to be disabled. Best recommendation is to call Sophos Support to guide you through this if you think it is needed.
  • Disabling captcha is done via CLI command: console> system captcha_authentication_VPN enable/disable/show
    • If VPN has been configured as site-to-site IPSec with remote network configuration as "ANY", you will also need to add an IPsec route to turn off captcha for specific VPN host/network.
      • Example:
        1. console> system ipsec_route add host <50.50.50.1> tunnelname <mytunnel>
        2. console> system ipsec_route add net <10.10.10.0/255.255.255.0> tunnelname <mytunnel>

2) If the administrator of the XG Firewall(s) had previously changed passwords after the hotfix was applied on April 25, 2020, you can now turn off mandatory password reset pop-up

  • As an additional security measure related to vulnerability CVE-2020-12271, the password reset is shown only on an XG Firewall that was identified as impacted. For more information see KBA135412.
  • If you have already changed passwords since 2200 UTC on April 25, 2020, for the administrator and any users with administrator privilege, you may want to turn off this mandatory password reset.
  • Disabling password reset is done via CLI command: console> system mandatory_password_reset disable/show

Which firmware versions would receive the hotfix?

  • All supported versions: v17.0, v17.1, v17.5 and v18 GA

How can I confirm that my firewall has received the hotfix?

  • Firmware version on XG Firewall webadmin control center will show "HF051220.1" appended to the SFOS build number.
  • Example - "SFOS 18.0.0 GA-Build379.HF051220.1"

How can I ensure that I receive the hotfix?

If you have disabled “Allow automatic installation of hotfixes”, please reference the following KBA for instructions on how to apply the required hotfix: https://community.sophos.com/kb/en-us/135415

Note: Customers managing XG Firewalls with either Sophos Firewall Manager (SFM) or Central Firewall Manager (CFM) need to verify each firewall has an active connection with firewall management to receive critical updates. These steps are not required for Sophos Central managed devices.

 
  • Buenas tardes

    He actualizado todos mis equipos XG a la versión 17.5.12 MR12, para esta versión cuando va a estar disponible este hotfix?

    Good afternoon

    I have updated all my XG devices to version 17.5.12 MR12, for this version when will this hotfix be available?

    Agradecería respuesta por parte de los desarrolladores de actualizaciones de firewall XG

    I would appreciate a response from developers of XG firewall updates

  • nothing to worry about??? You guy's have ever heard about security awareness? Sophos tells there customers to make company stuff aware of thing you just don't do (click on suspicious links) but use them by your own?

    What's wrong with "t1p.de" for example which is  know for excellent privacy compliance - other than china's domains!?

  • Hi , there's nothing to worry about here, as that SMS has been sent by Sophos only. We shorten the link due to the character limit in SMS.

  • "Any Cyberoam device that has upgraded to the XG Firewall firmware will not implement Captcha"

    It's not true. Captcha works on my two CR100 iNG routers from the very beginning.