We have the admin login only allowing logins from our HQ (IP limited). Yet, they have all been compromised?
This thread was automatically locked due to age.
Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
We have the admin login only allowing logins from our HQ (IP limited). Yet, they have all been compromised?
I rechecked the domains on another firewall and most of them are offline now. One of them actually points to a reseller in florida. I don't think your LAN computer accessing for whatever reason should be a major concern (maybe a coincidence). Don't know I am out of ideas on this.Big_Buck said:On my Home machine, Sophos indicated the machine was not compromised.
Big_Buck said:I am receiving a texto from Sophos SMS asking me to check a document at: "https://fal.cn" regarding the latest hotfix. In China !!!!!!!!!!
Is this normal ?
They are probably trying to shorten the URL however as a security company they shouldn't be doing this. Don't know whats happening with sophos.
Maybe the bug "NC-58339" for devices on SFOS v17.5 MR10, MR11 and MR12 could be another vector of attack.
"Local ACL Exceptions" will not work if there is an Any-Any Drop Firewall rule configured.
We had the "Local ACL Exceptions" for User portal access only from one country. Because this exceptions was not working and portal was accessible to whole Internet.
community.sophos.com/.../sfos-17-5-mr12-local-service-acl-exception-rule-still-not-working
Hi Paul,
just a final note, thanks to Pavol who pointed me to
And yes I tested and proofed this (also on 17.5.12), TCP/8094 is open on the WAN interface! This could be another leak where the SQL-injection occurred.
bye Josef
BERGMANN engineering & consulting GmbH, Wien/Austria
Hi Paul,
No I'm not kidding :) Just try it yourself, simple use one of the free online scanners to probe the TCP port 8094 on the WAN-IP of a Sophos XG, eg. https://ping.eu/port-chk/ or https://portchecker.co/ or others.
It seems that this service is per default always open for any network, no matter if you have the SPX Encryption for email configured or not. And as the release notes shows, this service was vulnerable for "Blind pre-auth SQLi" bevor 17.5 MR12.
You must actively change the "Allowed networks" in Email -> Encryption -> SPX portal settings! As a work around I've only allowed #Port1 do disable this service on the WAN.
For me it's now enough. We stopped selling this boxes already bevor two years, but now we will also replace the remaining ones (to another brand).
bye Josef
BERGMANN engineering & consulting GmbH, Wien/Austria
Indeed. Open.on one firewall.
Should I expect both MTA mode and legacy mode behave the same ? I.e. port 8094 open ?
I have search Sophos web site regarding this, and the fact that port 8094 was always open have already been a major concern to many.
Well. The other work around is to install another firewall between WAN and XG. I mean, one that does only what it is asked to do. And do not what it is not asked. And one that has real log viewer.
Paul Jr