New code injection vulnerability in the User Portal and Webadmin of Sophos Firewall

Surprised there is no 'banner' announcement of this in the community forum (I learnt about it from a third party security mailing list). I've said it before but I will say it again, I think it is a major failing of Sophos not to have a security alert mailing list.

Details here - https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce

How to check if your XG has been patched - https://support.sophos.com/support/s/article/KB-000044539?language=en_US



Added TAGs
[edited by: emmosophos at 9:53 PM (GMT -7) on 23 Sep 2022]
Parents
  • Hi JasP,

    Thank you for reaching out and also for your contributions to the Community.

    We have a number of communications tools that we use to keep our stakeholders informed of security incidents.

    • As you’ve pointed out, the Security Advisories page as part of the Sophos Trust Center is the primary location to get the latest security alerts. You can also filter and sort across a variety of meta data and product lines.
    • We also use the Security Advisory as a central point to link to other important resources such as relevant KB articles, related CVEs on cve.mitre.org, and other helpful documentation.
    • We also email affected customers and partners directly to ensure they know what to do to ensure they are protected.
    • We also offer an SMS alert service that provides an immediate text notification for important service and security advisories. Anyone can subscribe to it, and we encourage all our customers and partners to use it.
  • Sophos clearly have a difficulty understanding why its customers find their current position so unsatisfactory so I will explain further.

    We are a small company but have a high security stance. We are very proactive in trying to close security vulnerabilities but the biggest single challenge is actually knowing what vulnerabilities are present in the products we use. Although internal attacks are always a possibility, clearly most attacks originate from the internet. As the border device, clearly XG vulnerabilities are one of our top concerns and as such we want to know about them as soon as Sophos do. We do not want to rely on us manually checking a web page! This should be 'push' alert, not a 'pull' alert.

    This is the second time there has been a vulnerability in the User Portal recently. We follow your best practice advice of not normally having this available on the WAN interface but there are times that we have to make it available as it is required for deploying Sophos Connect to new remote clients so that they can download the VPN configuration details after installing a .pro configuration file. This was exactly the case last week where we were deploying an XGS as a replacement for another vendors product. We had the User Portal enabled on the WAN interface all last week so that the users could setup their new VPN software. Had we been informed of this vulnerability as soon as Sophos was aware of it, we could have removed WAN access until the patch was ready and deployed. Instead, we left it open in blissful ignorance because Sophos hadn't let us know there was a problem.

    As a security vendor, your processes for informing your customers of your own vulnerabilities should be exemplary but as they stand, they are no more than basic. I shouldn't have to be explaining this to any security vendor, let alone one the size of Sophos.

    For others struggling with the lack of vulnerability information, I would give a quick shout out for the CISA mailing lists, which we have found the best source of comprehensive and timely security information - https://www.cisa.gov/uscert/mailing-lists-and-feeds. It was from them that we found out about the Sophos vulnerability last Friday.

Reply
  • Sophos clearly have a difficulty understanding why its customers find their current position so unsatisfactory so I will explain further.

    We are a small company but have a high security stance. We are very proactive in trying to close security vulnerabilities but the biggest single challenge is actually knowing what vulnerabilities are present in the products we use. Although internal attacks are always a possibility, clearly most attacks originate from the internet. As the border device, clearly XG vulnerabilities are one of our top concerns and as such we want to know about them as soon as Sophos do. We do not want to rely on us manually checking a web page! This should be 'push' alert, not a 'pull' alert.

    This is the second time there has been a vulnerability in the User Portal recently. We follow your best practice advice of not normally having this available on the WAN interface but there are times that we have to make it available as it is required for deploying Sophos Connect to new remote clients so that they can download the VPN configuration details after installing a .pro configuration file. This was exactly the case last week where we were deploying an XGS as a replacement for another vendors product. We had the User Portal enabled on the WAN interface all last week so that the users could setup their new VPN software. Had we been informed of this vulnerability as soon as Sophos was aware of it, we could have removed WAN access until the patch was ready and deployed. Instead, we left it open in blissful ignorance because Sophos hadn't let us know there was a problem.

    As a security vendor, your processes for informing your customers of your own vulnerabilities should be exemplary but as they stand, they are no more than basic. I shouldn't have to be explaining this to any security vendor, let alone one the size of Sophos.

    For others struggling with the lack of vulnerability information, I would give a quick shout out for the CISA mailing lists, which we have found the best source of comprehensive and timely security information - https://www.cisa.gov/uscert/mailing-lists-and-feeds. It was from them that we found out about the Sophos vulnerability last Friday.

Children