3CX DLL-Sideloading attack: What you need to know
I've deployed VI-19.0.0_GA.VMW-317.zip last Sunday and migrated SFOS 19.0.0 GA-Build317 from old SFV4C6 to this new one (because of swap problems). Veeam ONE Monitor starts to send Guest disk space "/var" alarms today. It looks like SFOS v. 19 image has much less space for /var than v. 18.5. (along to https://community.sophos.com/sophos-xg-firewall/sfos-v19-early-access-program/f/discussions/133616/v19-hyperv-disk-usage-reporting-full).
SFV4C6_VM01_SFOS 19.0.0 GA-Build317# fdisk -l Disk /dev/sda: 16 GB, 17179869184 bytes, 33554432 sectors 2088 cylinders, 255 heads, 63 sectors/track Units: sectors of 1 * 512 = 512 bytes Device Boot StartCHS EndCHS StartLBA EndLBA Sectors Size Id Type /dev/sda1 1023,254,63 1023,254,63 33144832 33423359 278528 136M 83 Linux /dev/sda2 1023,254,63 1023,254,63 33423360 33554431 131072 64.0M 83 Linux Disk /dev/sdb: 80 GB, 85899345920 bytes, 167772160 sectors 10443 cylinders, 255 heads, 63 sectors/track Units: sectors of 1 * 512 = 512 bytes Disk /dev/sdb doesn't contain a valid partition table
SFV4C6_VM01_SFOS 19.0.0 GA-Build317# df -h Filesystem Size Used Available Use% Mounted on none 640.6M 11.6M 582.3M 2% / none 2.9G 24.0K 2.9G 0% /dev none 2.9G 16.9M 2.9G 1% /tmp none 2.9G 14.7M 2.9G 0% /dev/shm /dev/boot 127.7M 26.6M 98.4M 21% /boot /dev/mapper/mountconf 560.3M 93.4M 462.9M 17% /conf /dev/content 11.8G 493.4M 11.3G 4% /content /dev/var 3.7G 3.5G 174.5M 95% /var
SFV4C6_VM01_SFOS 19.0.0 GA-Build317# df -m /var Filesystem 1M-blocks Used Available Use% Mounted on /dev/var 3776 3589 170 95% /var
SFV4C6_VM01_SFOS 19.0.0 GA-Build317# du -d 1 -m /var/|sort -nr|head 2995 /var/ 945 /var/tslog 742 /var/newdb 565 /var/eventlogs 218 /var/savi 204 /var/tmp 192 /var/avira4 46 /var/sasi 24 /var/conan_new 24 /var/conan
BTW I have no idea why "df -m /var" differs from "du =ms /var".
SFV4C6_VM01_SFOS 19.0.0 GA-Build317# df -m /var/ && du -ms /var/ Filesystem 1M-blocks Used Available Use% Mounted on /dev/var 3776 3561 199 95% /var 2967 /var/
It could be resolved on v19 MR-1 but I can't see it in Resolved issues. Anyway I get "No records found" if I check for new firmware.
I've tried to find how to purge report logs but firewall help is not very instructive. What is the recommended procedure?
This could be: NC-94291
Fixed in MR1.
__________________________________________________________________________________________________________________
I updated other SFV4C6 VM to SFOS 19.0.1 MR-1-Build350 but it doesn't look like the size of /var was fixed:
Before:
SFV4C6_VM01_SFOS 19.0.0 GA-Build317# df -hFilesystem Size Used Available Use% Mounted onnone 640.6M 12.6M 581.3M 2% /none 2.9G 24.0K 2.9G 0% /devnone 2.9G 113.6M 2.8G 4% /tmpnone 2.9G 14.6M 2.9G 0% /dev/shm/dev/boot 127.7M 34.0M 91.0M 27% /boot/dev/mapper/mountconf 560.3M 85.6M 470.7M 15% /conf/dev/content 11.8G 498.6M 11.3G 4% /content/dev/var 3.7G 2.1G 1.6G 56% /var
After:
SFV4C6_VM01_SFOS 19.0.1 MR-1-Build350# df -hFilesystem Size Used Available Use% Mounted onnone 612.8M 1.5M 566.6M 0% /none 2.9G 32.0K 2.9G 0% /devnone 2.9G 48.4M 2.9G 2% /tmpnone 2.9G 14.6M 2.9G 0% /dev/shm/dev/boot 127.7M 34.0M 91.0M 27% /boot/dev/mapper/mountconf 560.3M 74.8M 481.5M 13% /conf/dev/content 11.8G 422.6M 11.4G 3% /content/dev/var 3.7G 2.3G 1.4G 62% /var
I can't update and experiment with main firewall in the moment. Is there any other way to increase /var?
I think and believe that this problem (NC-94291) is fixed in build 350. But it is possible to correct this problem on a "live system"? When we updated another firewall, the /var filesystem REMAIN small. I have found some info about "increasing /var size" in https://support.sophos.com/support/s/article/KB-000036775?language=en_US. It is worth trying this after update? Or do we have reinstall XG firewall again and restore config from backup?
Hi,
Are there any suggestions for this yet?We are also affected and have 5 productive instances!SFOS 19.0.1 MR-1 build350 is not available as install image and seems to be withdrawn today also as update???We need a way of repair without reinstalling!
BR Gerd
It is fixed in MR1. The Build Version does not matter. You should have access to V19.0 MR1 in your Licensing Portal. community.sophos.com/.../sophos-firewall-v19-mr1-re_2d00_release-build-365-is-now-available
Hi Lucar,
19.0.1 MR-1 is available as an update, but NOT as an installation media.But if you click on "check for updates" in a firewall today, it says "no update available". That was different yesterday!
On the other hand you answeresat not my question!The update does not fix the error with the var directory!So the question remains: How can the problem be fixed without reinstalling??
I opened a case regarding this issue (NC-94291)
This could be related to V19.0 MR1. See: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v19-mr1-re_2d00_release-build-365-is-now-available
There are two fixes:
NC-100679 & NC-94291
So you can update your current installation to V19.0 MR1 and try it. The Respin version fixed another issue, which could potentially caused this issue.
Hi Toni, thank you for quick response. I need to explain your "... try it...". You mean - after update the /var would be "expanded" after update will have finished? Or we need export-reinstall-import? Or you don´t know and mean "maybe the /var size changed after reinstall"?
As I wrote: The update does not fix the error with the var directory!
Of course I checked before I wrote that!
SFVUNL_KV01_SFOS 19.0.1 MR-1-Build365# df -hFilesystem Size Used Available Use% Mounted onnone 613.2M 1.5M 567.0M 0% /none 1.9G 24.0K 1.9G 0% /devnone 1.9G 51.7M 1.9G 3% /tmpnone 1.9G 14.6M 1.9G 1% /dev/shm/dev/boot 127.7M 34.3M 90.7M 27% /boot/dev/mapper/mountconf 560.3M 72.0M 484.3M 13% /conf/dev/content 11.8G 496.1M 11.3G 4% /content/dev/var 3.7G 1.5G 2.2G 41% /var
We are not increasing the the /var/ because there is no reason to do. But 41% is actually fine from my perspective. /var/ is rarely used.