New code injection vulnerability in the User Portal and Webadmin of Sophos Firewall

Surprised there is no 'banner' announcement of this in the community forum (I learnt about it from a third party security mailing list). I've said it before but I will say it again, I think it is a major failing of Sophos not to have a security alert mailing list.

Details here - https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce

How to check if your XG has been patched - https://support.sophos.com/support/s/article/KB-000044539?language=en_US



Added TAGs
[edited by: emmosophos at 9:53 PM (GMT -7) on 23 Sep 2022]
Parents
  • Hi JasP,

    Thank you for reaching out and also for your contributions to the Community.

    We have a number of communications tools that we use to keep our stakeholders informed of security incidents.

    • As you’ve pointed out, the Security Advisories page as part of the Sophos Trust Center is the primary location to get the latest security alerts. You can also filter and sort across a variety of meta data and product lines.
    • We also use the Security Advisory as a central point to link to other important resources such as relevant KB articles, related CVEs on cve.mitre.org, and other helpful documentation.
    • We also email affected customers and partners directly to ensure they know what to do to ensure they are protected.
    • We also offer an SMS alert service that provides an immediate text notification for important service and security advisories. Anyone can subscribe to it, and we encourage all our customers and partners to use it.
  • Sophos clearly have a difficulty understanding why its customers find their current position so unsatisfactory so I will explain further.

    We are a small company but have a high security stance. We are very proactive in trying to close security vulnerabilities but the biggest single challenge is actually knowing what vulnerabilities are present in the products we use. Although internal attacks are always a possibility, clearly most attacks originate from the internet. As the border device, clearly XG vulnerabilities are one of our top concerns and as such we want to know about them as soon as Sophos do. We do not want to rely on us manually checking a web page! This should be 'push' alert, not a 'pull' alert.

    This is the second time there has been a vulnerability in the User Portal recently. We follow your best practice advice of not normally having this available on the WAN interface but there are times that we have to make it available as it is required for deploying Sophos Connect to new remote clients so that they can download the VPN configuration details after installing a .pro configuration file. This was exactly the case last week where we were deploying an XGS as a replacement for another vendors product. We had the User Portal enabled on the WAN interface all last week so that the users could setup their new VPN software. Had we been informed of this vulnerability as soon as Sophos was aware of it, we could have removed WAN access until the patch was ready and deployed. Instead, we left it open in blissful ignorance because Sophos hadn't let us know there was a problem.

    As a security vendor, your processes for informing your customers of your own vulnerabilities should be exemplary but as they stand, they are no more than basic. I shouldn't have to be explaining this to any security vendor, let alone one the size of Sophos.

    For others struggling with the lack of vulnerability information, I would give a quick shout out for the CISA mailing lists, which we have found the best source of comprehensive and timely security information - https://www.cisa.gov/uscert/mailing-lists-and-feeds. It was from them that we found out about the Sophos vulnerability last Friday.

  • excellently written and all true. we have the same situations that you described about userportal open on WAN temporarily.

Reply Children
  • I've never understood why we have to open the whole User Portal to complete SSL VPN setup so I've started a separate thread to discuss this - https://community.sophos.com/sophos-xg-firewall/f/discussions/136622/sophos-connect-and-delivery-of-configuration-via-user-portal

  • Is this the hotfix file for that CVE?

    2022-09-19 12:56:28Z dr_dload_checker: Starting download for file sfsysupdate_NC-100325.tar.gz.gpg
    2022-09-19 12:57:28Z dr_dload_checker: Download completed for file sfsysupdate_NC-100325.tar.gz.gpg
    gpg: Signature made Wed Sep 14 13:51:01 2022 CEST using RSA key ID 6A20EB0B
    gpg: NOTE: trustdb not writable
    gpg: Good signature from "Sophos Up2Date Server <updates@sophos.com>"
    2022-09-19 12:57:28Z dr_dload_checker: Download for file sfsysupdate_NC-100325.tar.gz.gpg passed integrity and gpg checks
    Mon Sep 19 14:57:28 2022 [Hotfix]: Affected version '18.5.4.418' found
    Mon Sep 19 14:57:28 2022 [Hotfix]: Backing up original files
    Mon Sep 19 14:57:28 2022 [Hotfix]: Copying files
    2022-09-19 12:57:44Z dr_dload_checker: Updated /conf/soa for sysupdate, version = 6.

    or probably this one:

    EBUG     2022-09-21 17:57:30Z [19431]: Received name : sfsysupdate_NC-105664HF1_v5.3.tar.gz.gpg
    DEBUG     2022-09-21 17:57:30Z [19431]: Received location : xg-up2date-firmwares.sophosupd.com/.../sfsysupdate_NC-105664HF1_v5.3.tar.gz.gpg
    DEBUG     2022-09-21 17:57:30Z [19431]: Received version : 7
    DEBUG     2022-09-21 17:57:30Z [19431]: Received size : 105752
    DEBUG     2022-09-21 17:57:30Z [19431]: Received md5sum : 620948d5695b271d96ceff5091754088
    DEBUG     2022-09-21 17:57:30Z [19431]: Received module : sysupdate
    DEBUG     2022-09-21 17:57:30Z [19431]: Received cv : 0
    DEBUG     2022-09-21 17:57:30Z [19431]: Received type : full
    2022-09-21 17:58:28Z dr_dload_checker: Starting download for file sfsysupdate_NC-105664HF1_v5.3.tar.gz.gpg