No update since September 2020? Really?

The list of CVEs concerning bugs in the linux kernel is steadily growing, but the rate of updates we're getting for the UTM is in steady decline.

I know that UTM can be considered a dying horse, but nevertheless this thing is still supported and should at least be getting security fixes. None are coming.

What do you guys think about this? Are you as nervous as I am? Or am I simply too nervous about this "well-hardened" security device getting hacked?

What firewall alternatives with a good security track record are you examining?

Regards

Alex

Top Replies

  • Hi Alex,

    I'm also wondering about the absence of any security fixes since a half year. I assume it is because the new CVEs did not match the ancient kernel (3.12.74), strongswan (4.4.1) ... so they should have to self check the new vulnerabilities and probably back port any fixes which is costly. 

    We install/maintain now more Fo*****es and examine OPNsense. The XG is no alternative for us (for different reasons I posted in the last years in the XG forum).

    bye Josef

    Firewall consultant since 1995
    Astaro consultant since 2001
    Sophos partner since 2012
    BERGMANN engineering & consulting GmbH, Wien/Austria

  • Hi ,

    Thank you for reaching out to the Community! 

    Would it be possible for you to share the CVEs that you're concerned about? I'd like to followup internally and update you. 

    Thanks,

     

     
    Harsh Patel (H_Patel)

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

  • March 2 2020 a private equity firm completed its acquisition of Sophos. I'd expect the trend of fewer updates, worsening support (though I'm not sure that is possible), and more upselling to continue.

  • Hi Harsh,

    thanks for joining in.

    I can't say much about the Linux kernel as it is - like Josef said - ancient (3.12.74-0.358283885.gbf77995.rb5-smp64). If you'd mind you could shed some light into the internal security auditing process.

    Possible kernel vulnerabilities (usable for local privilege escalation):

    CVE-2021-27365, CVE-2021-27363 and CVE-2021-27364

    Apart from the kernel, there are numerous outdated software packages in use. Some of them exposed to the internet:

    OpenSSL 1.0.2j-fips  26 Sep 2016

    CVE-2021-23841

    CVE-2021-23840

    CVE-2021-23839

    CVE-2020-1971 (this is awaiting follow-up by you in community thread https://community.sophos.com/utm-firewall/f/general-discussion/124658/openssl-null-pointer-reference-issue-cve-2020-1971)

    OpenVPN 2.3.10 i686-suse-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun 29 2017

    Maybe I've gotten so used to updating everything all the time, that it's kind of obscure for me to not patch the firewall.

    Regards

    Alex 

  • Hi H_Patel,

    is there any update? We are really concerned about the missing security updates as well. Feels like Sophos UTM has been abandoned despite of all promises that this platform is still maintained by sophos.

  • The only surprise here is that you are surprised.   Sophos made it clear many years ago that XG Firewall was their future.    The synchronized protection is a great marketing story, while UTM's architecture is so unique, and so poorly documented, that a new admin learns the architecture by accident after making a configuration error.

    Over the last few years, we have seen disastrous UTM development mistakes:  Everything between 9.408 and 9.506, and I so distrusted all of 9.6x that I went from 9.508 to 9.703.    Be glad that you have a pretty solid release now. 

    The development problems have left me wondering if an all-in-one box is inherently too complex to sustain reliably.  Certainly, UTM's features are not equally appealing.   Web Filtering is a gem, and it's best feature.   Site-to-Site VPN is inadequate without IKEv2.   HTML VPN seems to remain exactly the way it was obtained from Astaro.    2-Factor authentication is useful, but is hindered because it has no server functions, so it can only authenticate other UTM functions.  Email filtering is simply insufficient on many grounds, and the future of email filtering is in the cloud, not in appliances.  After many false starts, Sophos EMail Security in the cloud appears to be a competent offering.  

    We have gotten several good years out of UTM, and I expect we will hang onto it for quite awhile more.   But my next solution architecture will probably be multiple specialized platforms instead of one box which tries to do it all, inconsistently.

  • Guys, this is a security appliance.  It's easier for the developers to patch a known version than to vet a new one.  I think they can apply many patches with pattern updates instead of releasing a new version.

    I know there's a list of CVEs and when they were addressed.  Harsh, can you get that link for us here?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi ,

    Here’s the update provided by the Sophos Product Team:
    “We have an internal process in place to monitor for announced vulnerabilities & evaluate whether they affect our products, including the UTM (whether a vulnerability affects a product depends not just on the version of the component used, but also how it’s used). If the announced vulnerabilities do affect the UTM, we’ll further determine the severity of the vulnerability and how much of a risk it poses to our customers. We’ll then take appropriate action including releasing updates/patches for them. Since some of the open-source components used in the UTM are customized by Sophos, we may not address the vulnerabilities by upgrading the component, but backport & apply the appropriate patches instead. This means looking at the version numbers of components used on the UTM  isn’t a good/accurate indicator of whether it’s vulnerable to specific vulnerabilities.

    For example, CVE-2020-1971 will be patched in the upcoming UTM 9.706 release, which will be released in the coming weeks.”
    Thanks,
     

     
    Harsh Patel (H_Patel)

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

  • Hi ,

    I think this is the link you're looking for: 

    Thanks,

     

     
    Harsh Patel (H_Patel)

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.