Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 17 replies
  • Answers 2 answers
  • Subscribers 17 subscribers
  • Views 4167 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No update since September 2020? Really?

asc_

The list of CVEs concerning bugs in the linux kernel is steadily growing, but the rate of updates we're getting for the UTM is in steady decline.

I know that UTM can be considered a dying horse, but nevertheless this thing is still supported and should at least be getting security fixes. None are coming.

What do you guys think about this? Are you as nervous as I am? Or am I simply too nervous about this "well-hardened" security device getting hacked?

What firewall alternatives with a good security track record are you examining?

Regards

Alex



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Would it be possible for you to share the CVEs that you're concerned about? I'd like to followup internally and update you. 

    Thanks,

Reply
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Would it be possible for you to share the CVEs that you're concerned about? I'd like to followup internally and update you. 

    Thanks,

Children
  • 0 in reply to FormerMember

    Hi Harsh,

    thanks for joining in.

    I can't say much about the Linux kernel as it is - like Josef said - ancient (3.12.74-0.358283885.gbf77995.rb5-smp64). If you'd mind you could shed some light into the internal security auditing process.

    Possible kernel vulnerabilities (usable for local privilege escalation):

    CVE-2021-27365, CVE-2021-27363 and CVE-2021-27364

    Apart from the kernel, there are numerous outdated software packages in use. Some of them exposed to the internet:

    OpenSSL 1.0.2j-fips  26 Sep 2016

    CVE-2021-23841

    CVE-2021-23840

    CVE-2021-23839

    CVE-2020-1971 (this is awaiting follow-up by you in community thread https://community.sophos.com/utm-firewall/f/general-discussion/124658/openssl-null-pointer-reference-issue-cve-2020-1971)

    OpenVPN 2.3.10 i686-suse-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun 29 2017

    Maybe I've gotten so used to updating everything all the time, that it's kind of obscure for me to not patch the firewall.

    Regards

    Alex 

  • 0 in reply to FormerMember

    Hi H_Patel,

    is there any update? We are really concerned about the missing security updates as well. Feels like Sophos UTM has been abandoned despite of all promises that this platform is still maintained by sophos.

  • 0 in reply to Stephan Munz

    Guys, this is a security appliance.  It's easier for the developers to patch a known version than to vet a new one.  I think they can apply many patches with pattern updates instead of releasing a new version.

    I know there's a list of CVEs and when they were addressed.  Harsh, can you get that link for us here?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • FormerMember
    0 FormerMember in reply to asc_

    Hi ,

    Here’s the update provided by the Sophos Product Team:
    “We have an internal process in place to monitor for announced vulnerabilities & evaluate whether they affect our products, including the UTM (whether a vulnerability affects a product depends not just on the version of the component used, but also how it’s used). If the announced vulnerabilities do affect the UTM, we’ll further determine the severity of the vulnerability and how much of a risk it poses to our customers. We’ll then take appropriate action including releasing updates/patches for them. Since some of the open-source components used in the UTM are customized by Sophos, we may not address the vulnerabilities by upgrading the component, but backport & apply the appropriate patches instead. This means looking at the version numbers of components used on the UTM  isn’t a good/accurate indicator of whether it’s vulnerable to specific vulnerabilities.

    For example, CVE-2020-1971 will be patched in the upcoming UTM 9.706 release, which will be released in the coming weeks.”
    Thanks,
  • FormerMember
    0 FormerMember in reply to BAlfson

    Hi ,

    I think this is the link you're looking for: 

    Thanks,

  • 0 in reply to FormerMember

    Are all of these 21 vulnerabilities of exim are covered by the new 9.706 release? There is no evidence in any of the latest "Issues resolved".

    https://blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server

    CVE Description Type
    CVE-2020-28007 Link attack in Exim’s log directory Local
    CVE-2020-28008 Assorted attacks in Exim’s spool directory Local
    CVE-2020-28014 Arbitrary file creation and clobbering Local
    CVE-2021-27216 Arbitrary file deletion Local
    CVE-2020-28011 Heap buffer overflow in queue_run() Local
    CVE-2020-28010 Heap out-of-bounds write in main() Local
    CVE-2020-28013 Heap buffer overflow in parse_fix_phrase() Local
    CVE-2020-28016 Heap out-of-bounds write in parse_fix_phrase() Local
    CVE-2020-28015 New-line injection into spool header file (local) Local
    CVE-2020-28012 Missing close-on-exec flag for privileged pipe Local
    CVE-2020-28009 Integer overflow in get_stdinput() Local
    CVE-2020-28017 Integer overflow in receive_add_recipient() Remote
    CVE-2020-28020 Integer overflow in receive_msg() Remote
    CVE-2020-28023 Out-of-bounds read in smtp_setup_msg() Remote
    CVE-2020-28021 New-line injection into spool header file (remote) Remote
    CVE-2020-28022 Heap out-of-bounds read and write in extract_option() Remote
    CVE-2020-28026 Line truncation and injection in spool_read_header() Remote
    CVE-2020-28019 Failure to reset function pointer after BDAT error Remote
    CVE-2020-28024 Heap buffer underflow in smtp_ungetc() Remote
    CVE-2020-28018 Use-after-free in tls-openssl.c Remote
    CVE-2020-28025 Heap out-of-bounds read in pdkim_finish_bodyhash() Remote

    bye Josef

    BERGMANN engineering & consulting GmbH, Wien/Austria

  • FormerMember
    0 FormerMember in reply to JosefBergmann

    Hi ,

    We'll update the following blog post as the new information becomes available:

    Thanks,

  • FormerMember
    0 FormerMember in reply to FormerMember

    Hi ,

    We've updated the blog post with more information:  Advisory: Multiple Vulnerabilities (AKA 21Nails) in Exim.

    Thanks,

  • 0 in reply to FormerMember

    JFYI: The Advisory was updated with the latest information.

    __________________________________________________________________________________________________________________

Unfiltered HTML