Surprised there is no 'banner' announcement of this in the community forum (I learnt about it from a third party security mailing list). I've said it before but I will say it again, I think it is a major failing of Sophos not to have a security alert mailing list.
Details here - https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce
How to check if your XG has been patched - https://support.sophos.com/support/s/article/KB-000044539?language=en_US
Sophos clearly have a difficulty understanding why its customers find their current position so unsatisfactory so I will explain further.
We are a small company but have a high security stance. We are…
Thank you for reaching out and also for your contributions to the Community.
We have a number of communications tools that we use to keep our stakeholders informed of security incidents.
To say a web page is the primary location for notifications is ridiculous. How often do you want us to check a web page? Daily? Every hour? Every minute? The whole point of security advisories is that you want the information ASAP in realtime. Having to manually check a web page is not the way to deliver that sort of alert. The web page is fine for the details of an issue, not alerting us to new issues.
We are a Sophos partner. I have received no emails from Sophos about this.
I subscribe to your SMS alert service. I have received nothing about this and I don't believe you deliver security alerts via this mechanism anyway. Have you read the link you referenced? It's for the status of your services, not security alerts.
Sorry but this seems to be the Sophos 'way'. We, your Partners and customers, tell you that what you are doing is not satisfactory. You ignore us. How hard is it to create a mailing list? Every person and their dog seems to email me stuff I don't want.
I can confirm I have not received an SMS alert and I also miss a big warning about it when I go to the community or sophos home website.
Also there is no information if that hotfix has already been installed at our firewalls or not.
You could create a message here, just like you did with the exim patch:
That is not good..
Nothing on sophos support.
We are a small company but have a high security stance. We are very proactive in trying to close security vulnerabilities but the biggest single challenge is actually knowing what vulnerabilities are present in the products we use. Although internal attacks are always a possibility, clearly most attacks originate from the internet. As the border device, clearly XG vulnerabilities are one of our top concerns and as such we want to know about them as soon as Sophos do. We do not want to rely on us manually checking a web page! This should be 'push' alert, not a 'pull' alert.
This is the second time there has been a vulnerability in the User Portal recently. We follow your best practice advice of not normally having this available on the WAN interface but there are times that we have to make it available as it is required for deploying Sophos Connect to new remote clients so that they can download the VPN configuration details after installing a .pro configuration file. This was exactly the case last week where we were deploying an XGS as a replacement for another vendors product. We had the User Portal enabled on the WAN interface all last week so that the users could setup their new VPN software. Had we been informed of this vulnerability as soon as Sophos was aware of it, we could have removed WAN access until the patch was ready and deployed. Instead, we left it open in blissful ignorance because Sophos hadn't let us know there was a problem.
As a security vendor, your processes for informing your customers of your own vulnerabilities should be exemplary but as they stand, they are no more than basic. I shouldn't have to be explaining this to any security vendor, let alone one the size of Sophos.
For others struggling with the lack of vulnerability information, I would give a quick shout out for the CISA mailing lists, which we have found the best source of comprehensive and timely security information - https://www.cisa.gov/uscert/mailing-lists-and-feeds. It was from them that we found out about the Sophos vulnerability last Friday.
excellently written and all true. we have the same situations that you described about userportal open on WAN temporarily.
I've never understood why we have to open the whole User Portal to complete SSL VPN setup so I've started a separate thread to discuss this - https://community.sophos.com/sophos-xg-firewall/f/discussions/136622/sophos-connect-and-delivery-of-configuration-via-user-portal
Is this the hotfix file for that CVE?
2022-09-19 12:56:28Z dr_dload_checker: Starting download for file sfsysupdate_NC-100325.tar.gz.gpg2022-09-19 12:57:28Z dr_dload_checker: Download completed for file sfsysupdate_NC-100325.tar.gz.gpggpg: Signature made Wed Sep 14 13:51:01 2022 CEST using RSA key ID 6A20EB0Bgpg: NOTE: trustdb not writablegpg: Good signature from "Sophos Up2Date Server <email@example.com>"2022-09-19 12:57:28Z dr_dload_checker: Download for file sfsysupdate_NC-100325.tar.gz.gpg passed integrity and gpg checksMon Sep 19 14:57:28 2022 [Hotfix]: Affected version '188.8.131.528' foundMon Sep 19 14:57:28 2022 [Hotfix]: Backing up original filesMon Sep 19 14:57:28 2022 [Hotfix]: Copying files2022-09-19 12:57:44Z dr_dload_checker: Updated /conf/soa for sysupdate, version = 6.
or probably this one:
EBUG 2022-09-21 17:57:30Z : Received name : sfsysupdate_NC-105664HF1_v5.3.tar.gz.gpgDEBUG 2022-09-21 17:57:30Z : Received location : xg-up2date-firmwares.sophosupd.com/.../sfsysupdate_NC-105664HF1_v5.3.tar.gz.gpgDEBUG 2022-09-21 17:57:30Z : Received version : 7DEBUG 2022-09-21 17:57:30Z : Received size : 105752DEBUG 2022-09-21 17:57:30Z : Received md5sum : 620948d5695b271d96ceff5091754088DEBUG 2022-09-21 17:57:30Z : Received module : sysupdateDEBUG 2022-09-21 17:57:30Z : Received cv : 0DEBUG 2022-09-21 17:57:30Z : Received type : full2022-09-21 17:58:28Z dr_dload_checker: Starting download for file sfsysupdate_NC-105664HF1_v5.3.tar.gz.gpg
A useful update on all this. I was contacted by Yashraj and asked to check my SMS alerts subscription. I found that I wasn't subscribed to 'Sophos Firewall' alerts. The alerting system has changed a lot since I signed up and it is possible it wasn't even an option when I originally subscribed, confirmed by the fact that I was subscribed to Sophos UTM alerts and we haven't used that product in years. Even better, I also found that you can now also get the alerts by email, which is much more useful for me and exactly what I was asking for in this post. No idea when this was introduced but it seems from the replies in this post that nobody seems to be aware of it. Probably time to stop calling it the SMS alerting service and just call it the 'Alerting Service'!
So a big thanks to Yashraj for looking into this for me and, obviously, I would suggest others check their subscriptions and sign up for emails if they would also be useful. The direct link is https://centralstatus.sophos.com/subscription
With regards to being emailed as a Partner, I have never received any Partner emails. I have taken this up with my account manager several times but they haven't been helpful in resolving the issue. It seems to me that when we became Partners, we were never added to the Partner emailing list. As he has been so helpful and seems to have his finger on the pulse, I have asked Yashrajif there is anything he can do to resolve this or put me in touch with the team responsible for Partner mailings.
I still think there should have been a banner alert in the community forums about this.
Hi Jason, Thank you for posting the update on the thread. I've PM'd you more details about your partner mailing list issue.