Sophos Connect and delivery of configuration via User Portal

This is a follow up to https://community.sophos.com/sophos-xg-firewall/f/discussions/136595/new-code-injection-vulnerability-in-the-user-portal-and-webadmin-of-sophos-firewall

Can Sophos make available the ability to download SSL VPN client configurations without opening the whole User Portal? The best practice advice from Sophos is to not expose the User Portal on the WAN interface. Indeed there have been two exploited vulnerabilities in the User Portal in the last twelve months. Unfortunately we have to make the User Portal available on the WAN interface so that users can complete a new SSL VPN setup using a .pro configuration file.

We don't utilise the User Portal for anything but this. Why can't Sophos make the required SSL setup functionality available separately so that we don't have to enable the full User Portal on the WAN interface? As a small subset of the User Portal functionality it would be a lot more secure.



Edited TAGs
[edited by: emmosophos at 4:38 PM (GMT -7) on 27 Sep 2022]
  • I want to add here that Sophos will tell you that you MUST have User Portal open on WAN when you deploy with the .pro file even if you argue that it is only necessary for the first initial config download (and after all subsequent changes in VPN policy or -profile). If you close user portal, they say it is unsupported.

    But yes, there should be a better way than to do VPN deployment with the use of userportal in the background. But I think it is really a difficult task to get this done.

  • By giving a service out for the Internet, every time the service is vulnerable to attack. It does not matter, if the service is the user portal or only the SSLVPN config download page. In the end, it is a exposed service. Likely most customers use the user portal for SSLVPN. So by creating a new service, the potion of customers, using "a new service" will have the same attack vector - If you call it user portal or "sslvpn download page" - its the same. You need to verify and approve the client towards the firewall to roll out the file to the client. The attack vector is important. If the service is vulnerable, it does not matter, what kind of service it is. 

    The core problem is the way, how to role out the configuration. And this is actually already resolved differently with solutions like ZTNA. Sophos ZTNA for example is completely integrated with Central and rolls out the config via Central. No need to have the authentication and approval concept to the firewall. 

    __________________________________________________________________________________________________________________

  • you miss the point. I know any internet exposed service is vulnerable to attack (which includes the whole firewall itself, and Sophos Central BTW). The point is that the more functionality you expose the higher the risk. User Portal has a lot of functionality that isn't required for configuration delivery and if you remove that, you reduce the attack surface.

    If you look at the details of CVE-2022-3236, you will see it affects both the User Portal and the Webadmin. Webadmin doesn't deliver configuration updates as far as I know, which implies that the vulnerability was in a different part of the functionality. If this is the case, a service that just delivered configurations wouldn't have suffered from this vulnerability.

    You keep pushing ZTNA but as I have replied before, it is ridiculously expensive for small deployments and almost impossible to justify to small companies that want basic VPN functionality

  • In a way, your first point is not valid. At the time, you open a service, it can be potentially be exploited. It does not matter, if its a user portal or a small "banner". The HTTP service has to run for this to be able to deliver something. This means, it is a potential externally facing service. Do not forget: Exploits are "bugs in the software". RCE most likely mean, you can execute code without authentication. The RCE does not care, if its a user portal or just a "banner in a http page". It will execude the code. So by reducing the amount of "data stored on one page" does not potentially mean, it is "more secure" in that way. Because the user portal is secured by authentication, it means, all of the data of the user portal is protected by authentication - But the basic http is still there - no matter what service you actually use. For example: In UTM you can disable certain features in User Portal - But the User Portal is still there. So the User Portal is still external facing and a surface.

    In the end, something has to deliver the code and that is http service. If you call it user portal, webadmin or something else for SSLVPN only - It would have the same attack surface. 

    And i am not the only one pushing ZTNA. ZTNA is the most likely the future of security posture management. We should move away from the general "ZTNA = VPN" thinking and more towards the general ZT approach. You want to keep your clients connected in a secure manner even in your own network. ZTNA can do this and build a seamless integration between apps. Its not a VPN tool - Its a security tool within the thinking of how to securely map your network. You do this in your network (behind the firewall) and on the road/home office. It does replace the need of VPN by its nature but its not a replacement product of VPN, because its build to work everywhere and connect the apps to the user. 

    __________________________________________________________________________________________________________________

  • Hi ,

    We've brought your concerns up internally and our Development Team is currently in the works for a new method that would eliminate the need for the User Portal to be exposed on the WAN for SSL VPN RA use. We plan to implement this in the future release.

    Karlos
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • That's great news , thanks for picking this up.

  • Hello LuCar Toni,

    it's really surprising how you once again ignore the request of a community forum participant that your key security product SFOS is NOT safe and functional, and on the contrary, you are again "pushing" ZTNA here without complete knowledge of the needs of JasP.

    JasP only wants a functional and safe product that Sophos sells, but so far it still only receives a very problematic product. Just like the rest of us.
    How can you know that ZTNA will benefit for JasP if you don't know his needs, network topology, if he has a data center, branches, applications in the public cloud, etc..?!? Because without all that, ZTNA is just a completely unnecessarily overpriced VPN access to a single SFOS installation!
    You are still ruthlessly forcing ZTNA, while JasP only wants your product and the related support to be functional!
    Nothing more and nothing less...

    And how YOU will JasP guarantee that the Sophos ZTNA solution will be reliable and secure, when the elementary security product of this architecture, SFOS, has such problems?!?

    Regards

    alda

  • I will not comment on your post, as this will lead to the same conversation about the same points. Feel free to reach out to your Sophos peers if you want to discuss anything further. 

    __________________________________________________________________________________________________________________

  • That would be so great. Currently we open and close userportal multiple times per day  - and that sucks.

    Time Log comp Status Username Src IP Message Message ID
    28.09.2022 13:58 GUI Successful xxx xxx Appliance Access Settings were changed by xxx 17502
    28.09.2022 09:57 GUI Successful xxx xxx Appliance Access Settings were changed by xxx 17502
    28.09.2022 09:50 GUI Successful xxx xxx Appliance Access Settings were changed by xxx 17502
    27.09.2022 17:31 GUI Successful xxx xxx Appliance Access Settings were changed by xxx 17502
    27.09.2022 14:14 GUI Successful xxx xxx Appliance Access Settings were changed by xxx 17502
    27.09.2022 09:53 GUI Successful xxx xxx Appliance Access Settings were changed by xxx 17502
    27.09.2022 09:47 GUI Successful xxx xxx Appliance Access Settings were changed by xxx 17502
    27.09.2022 08:53 GUI Successful xxx xxx Appliance Access Settings were changed by xxx 17502
    27.09.2022 08:49 GUI Successful xxx xxx Appliance Access Settings were changed by xxx 17502