New code injection vulnerability in the User Portal and Webadmin of Sophos Firewall

Hi JasP,

Thank you for reaching out and also for your contributions to the Community.

We have a number of communications tools that we use to keep our stakeholders informed of security incidents.

• As you’ve pointed out, the Security Advisories page as part of the Sophos Trust Center is the primary location to get the latest security alerts. You can also filter and sort across a variety of meta data and product lines.
• We also use the Security Advisory as a central point to link to other important resources such as relevant KB articles, related CVEs on cve.mitre.org, and other helpful documentation.
• We also email affected customers and partners directly to ensure they know what to do to ensure they are protected.
• We also offer an SMS alert service that provides an immediate text notification for important service and security advisories. Anyone can subscribe to it, and we encourage all our customers and partners to use it.

To say a web page is the primary location for notifications is ridiculous. How often do you want us to check a web page? Daily? Every hour? Every minute? The whole point of security advisories is that you want the information ASAP in realtime. Having to manually check a web page is not the way to deliver that sort of alert. The web page is fine for the details of an issue, not alerting us to new issues.

We are a Sophos partner. I have received no emails from Sophos about this.

I subscribe to your SMS alert service. I have received nothing about this and I don't believe you deliver security alerts via this mechanism anyway. Have you read the link you referenced? It's for the status of your services, not security alerts.

Sorry but this seems to be the Sophos 'way'. We, your Partners and customers, tell you that what you are doing is not satisfactory. You ignore us. How hard is it to create a mailing list? Every person and their dog seems to email me stuff I don't want.

I can confirm I have not received an SMS alert and I also miss a big warning about it when I go to the community or sophos home website.

Also there is no information if that hotfix has already been installed at our firewalls or not.

You could create a message here, just like you did with the exim patch:

That is not good..

Nothing on sophos support.

https://support.sophos.com/

Sophos clearly have a difficulty understanding why its customers find their current position so unsatisfactory so I will explain further.

We are a small company but have a high security stance. We are very proactive in trying to close security vulnerabilities but the biggest single challenge is actually knowing what vulnerabilities are present in the products we use. Although internal attacks are always a possibility, clearly most attacks originate from the internet. As the border device, clearly XG vulnerabilities are one of our top concerns and as such we want to know about them as soon as Sophos do. We do not want to rely on us manually checking a web page! This should be 'push' alert, not a 'pull' alert.

This is the second time there has been a vulnerability in the User Portal recently. We follow your best practice advice of not normally having this available on the WAN interface but there are times that we have to make it available as it is required for deploying Sophos Connect to new remote clients so that they can download the VPN configuration details after installing a .pro configuration file. This was exactly the case last week where we were deploying an XGS as a replacement for another vendors product. We had the User Portal enabled on the WAN interface all last week so that the users could setup their new VPN software. Had we been informed of this vulnerability as soon as Sophos was aware of it, we could have removed WAN access until the patch was ready and deployed. Instead, we left it open in blissful ignorance because Sophos hadn't let us know there was a problem.

As a security vendor, your processes for informing your customers of your own vulnerabilities should be exemplary but as they stand, they are no more than basic. I shouldn't have to be explaining this to any security vendor, let alone one the size of Sophos.

For others struggling with the lack of vulnerability information, I would give a quick shout out for the CISA mailing lists, which we have found the best source of comprehensive and timely security information - https://www.cisa.gov/uscert/mailing-lists-and-feeds. It was from them that we found out about the Sophos vulnerability last Friday.

excellently written and all true. we have the same situations that you described about userportal open on WAN temporarily.

I've never understood why we have to open the whole User Portal to complete SSL VPN setup so I've started a separate thread to discuss this - https://community.sophos.com/sophos-xg-firewall/f/discussions/136622/sophos-connect-and-delivery-of-configuration-via-user-portal

Is this the hotfix file for that CVE?

2022-09-19 12:56:28Z dr_dload_checker: Starting download for file sfsysupdate_NC-100325.tar.gz.gpg
2022-09-19 12:57:28Z dr_dload_checker: Download completed for file sfsysupdate_NC-100325.tar.gz.gpg
gpg: Signature made Wed Sep 14 13:51:01 2022 CEST using RSA key ID 6A20EB0B
gpg: NOTE: trustdb not writable
gpg: Good signature from "Sophos Up2Date Server <updates@sophos.com>"
2022-09-19 12:57:28Z dr_dload_checker: Download for file sfsysupdate_NC-100325.tar.gz.gpg passed integrity and gpg checks
Mon Sep 19 14:57:28 2022 [Hotfix]: Affected version '18.5.4.418' found
Mon Sep 19 14:57:28 2022 [Hotfix]: Backing up original files
Mon Sep 19 14:57:28 2022 [Hotfix]: Copying files
2022-09-19 12:57:44Z dr_dload_checker: Updated /conf/soa for sysupdate, version = 6.

or probably this one:

EBUG     2022-09-21 17:57:30Z [19431]: Received name : sfsysupdate_NC-105664HF1_v5.3.tar.gz.gpg
DEBUG     2022-09-21 17:57:30Z [19431]: Received location : xg-up2date-firmwares.sophosupd.com/.../sfsysupdate_NC-105664HF1_v5.3.tar.gz.gpg
DEBUG     2022-09-21 17:57:30Z [19431]: Received version : 7
DEBUG     2022-09-21 17:57:30Z [19431]: Received size : 105752
DEBUG     2022-09-21 17:57:30Z [19431]: Received md5sum : 620948d5695b271d96ceff5091754088
DEBUG     2022-09-21 17:57:30Z [19431]: Received module : sysupdate
DEBUG     2022-09-21 17:57:30Z [19431]: Received cv : 0
DEBUG     2022-09-21 17:57:30Z [19431]: Received type : full
2022-09-21 17:58:28Z dr_dload_checker: Starting download for file sfsysupdate_NC-105664HF1_v5.3.tar.gz.gpg

A useful update on all this. I was contacted by Yashraj S and asked to check my SMS alerts subscription. I found that I wasn't subscribed to 'Sophos Firewall' alerts. The alerting system has changed a lot since I signed up and it is possible it wasn't even an option when I originally subscribed, confirmed by the fact that I was subscribed to Sophos UTM alerts and we haven't used that product in years. Even better, I also found that you can now also get the alerts by email, which is much more useful for me and exactly what I was asking for in this post. No idea when this was introduced but it seems from the replies in this post that nobody seems to be aware of it. Probably time to stop calling it the SMS alerting service and just call it the 'Alerting Service'!

So a big thanks to Yashraj S for looking into this for me and, obviously, I would suggest others check their subscriptions and sign up for emails if they would also be useful. The direct link is https://centralstatus.sophos.com/subscription

With regards to being emailed as a Partner, I have never received any Partner emails. I have taken this up with my account manager several times but they haven't been helpful in resolving the issue. It seems to me that when we became Partners, we were never added to the Partner emailing list. As he has been so helpful and seems to have his finger on the pulse, I have asked Yashraj Sif there is anything he can do to resolve this or put me in touch with the team responsible for Partner mailings.

I still think there should have been a banner alert in the community forums about this.

Hi Jason, 

Thank you for posting the update on the thread. I've PM'd you more details about your partner mailing list issue. 

may be just by chance but we notice a lot more users need to refresh their VPN config already stored in connect client.

as our userportal is usually closed, they call us so we make user portal accessible on WAN zone.

we deploy connect client with the .pro file and they have been connected before - config already on the machine.

it's for sure not all users but I would say 200% more calls than the weeks before the hotfix was installed