6/27/2019 Update - See the bottom section for new information
Sophos UTM 9 is running a (modified?) Linux kernel which is currently susceptible to a slew of CVEs disclosed by Netflix: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
Another outline of this issue can be read here: https://access.redhat.com/security/vulnerabilities/tcpsack
To confirm that your version of the UTM is vulnerable, please do the following:
I am currently on hold with the Technical team, waiting to determine if we will be allowed to turn SACK off.
Steps for mitigation
Sophos has sent out an email regarding this situation and the products affected. Their link to the new knowledgebase article contains details about steps you can take to mitigate these vulnerabilities until the next release.
In our situation, we went ahead and disabled MTU Probing altogether. Monitoring has shown no drop in performance, and our users have not noticed any decrease in bandwidth.
The steps they lay out for this are:
echo "net.ipv4.tcp_mtu_probing = 0" >> /etc/sysctl.conf
(:USR_OUTPUT - [0:0])
-A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
We have not implemented the other options. Consider your own situation and services before choosing what to disable.
Note: If you wish to make these changes, you must enable ssh via the web manager and login to the console.
Thank for you reaching out to share this with our Community!
Yes, our team is actively investigating and there should be more information available to provide tomorrow. Please stay tuned.
Thank you for raising the question!
Any new information since "tomorrow"? ;)
Yes, please have a look at Sophos Advisory: TCP SACK PANIC kernel vulnerability
My apologies for the delayed response!
Yes, we created this thread to provide more information:
I tried to add this command but not working. Can anyone assist me step by step.. Im new here for this command
Add the following line to /var/mdw/etc/iptables/iptable.filter after (:USR_OUTPUT - [0:0]) line at line 29 for UTM v9.603:
(:USR_OUTPUT - [0:0])
Hi Muhammad and welcome to the UTM Community!
You need to use an editor. Look up the commands for the Linux vi editor and then, as root, enter the following at the command line:
Cheers - Bob
Thanks for letting us know, Toni.
If the mitigation in the first post here, limiting MSS size, was done, should any of that be undone after upgrading to 9.604?
UPDATE a few minutes later: After the Up2Date is applied, the lines added to sysctl.conf and iptable.filter are gone, so the answer to my question is apparently "no."
The Up2Date seems to have hung 33 seconds in:
UPDATE a few minutes later: Apparently it completed successfully????
sys-9.603-9.604-1.2.1.tgz (Jul 11 15:31)