We've just released SG UTM version 9.708. As usual, the release will be rolled out in phases:

This release includes a fix for a post-authentication SQL injection vulnerability in the user portal (CVE-2021-36807). For more information on this vulnerability see this advisory. As always, we recommend that you update to this version as soon as possible.

Also included in this release is an update for OpenSSL which removes support for ciphersuites that include the non-EC Diffie-Hellman(DH) algorithm for key exchange. These ciphersuites have been considered weak for some time now. For uses where the UTM is a server (e.g. WAF, SMTP), these cipher suites were already excluded by default prior to this update so there should be no significant impact. Where the UTM acts as a client making connections to external SSL/TLS services running old software with limited support for more modern protocols, this could cause connection issues. For example, users connecting through the WebProxy with HTTPS decryption enabled will no longer be able to connect to old servers that have poor support for modern ciphers.

AP and RED Firmware

With this release, SG UTM now supports the latest versions of firmware for Sophos wireless access points and RED/SD-RED devices. Updating your UTM will make the new firmware updates available. For more information on these important firmware updates, see these posts from the Sophos Firewall community log:

News

  • Maintenance Release
  • Security Release 

Remarks

  • System will be rebooted
  • Configuration will be upgraded

Issues Resolved

  • NUTM-12646 [Access & Identity] User E-Mail addresses won't be synced properly
  • NUTM-12873 [Access & Identity] GUI issue with selecting Inbound/Outbound ipsec debug option
  • NUTM-12904 [Access & Identity] DUO authentication fails back to AD with success
  • NUTM-12434 [Basesystem] Yukon, Canada region timezone set to stop using DST
  • NUTM-12507 [Basesystem] Getting error message for command 'last'
  • NUTM-12717 [Basesystem] Resolve OpenSSL issues - Remove DH cipher support - (CVE-2020-1968) & (CVE-2021-3712)
  • NUTM-12748 [Basesystem] Address underscore.js vulnerability (CVE-2021-23358)
  • NUTM-12739 [Email] E-Mails stuck in SMTP spool due to Sandstorm Scan
  • NUTM-12798 [Email] SPX doesn't work with "&" in the email local part
  • NUTM-12875 [Email] PCI compliance scan failure due to exim ciphers
  • NUTM-12932 [Email] Exim coredumps
  • NUTM-12934 [Kernel] Fully implement RFC5961 compliance for SYN packets (CVE-2004-0230)
  • NUTM-12385 [Logging] Automatic log deletion by age of log file not working correctly.
  • NUTM-11404 [Network] Sierra Wireless MC7430 Qualcomm® SnapdragonTmX7 LTE-A 4G dongle goes down after few hours
  • NUTM-12126 [Network] If "Skip rule on interface error" is not used multipath rule doesn't work as expected
  • NUTM-12184 [Network] WAN interface switched to DHCP
  • NUTM-12519 [UI Framework] Post-auth SQLi in User Portal (CVE-2021-36807)
  • NUTM-12524 [UI Framework] Add Cache-Control header for Web Admin and User Portal
  • NUTM-13002 [UI Framework] AutoComplete Attribute Not Disabled for Password in Form-Based Authentication
  • NUTM-12680 [WAF] Unable to renew Let's Encrypt Certificate
  • NUTM-12285 [Web] Avira scan fails for certain files during upload through Webproxy
  • NUTM-11712 [Wireless] Built-in Wireless with two bridge to AP LAN errors and instability
  • NUTM-12199 [Wireless] Issue with the certificate chain for Let's Encrypt when used for hotspot
  • NUTM-12372 [Wireless] LocalWiFi : Intermittently unable to connect to the Wireless SSID
  • NUTM-12859 [Wireless] IPTtables rules are not created for AP being part of 'Access Point Group'

[This article was updated on 30 November 2021 to include information about AP and RED firmware updates and direct links for firmware downloads.]