This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

No update since September 2020? Really?

The list of CVEs concerning bugs in the linux kernel is steadily growing, but the rate of updates we're getting for the UTM is in steady decline.

I know that UTM can be considered a dying horse, but nevertheless this thing is still supported and should at least be getting security fixes. None are coming.

What do you guys think about this? Are you as nervous as I am? Or am I simply too nervous about this "well-hardened" security device getting hacked?

What firewall alternatives with a good security track record are you examining?

Regards

Alex

This thread was automatically locked due to age.

Top Replies

FormerMember over 3 years ago in reply to BAlfson +3 suggested

Hi BAlfson , I think this is the link you're looking for: https://lists.astaro.com/ASGV9-IPS-rules.html#221 Thanks,

Parents

0 FormerMember over 3 years ago

Hi asc_,

Thank you for reaching out to the Community!

Would it be possible for you to share the CVEs that you're concerned about? I'd like to followup internally and update you.

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 asc_ over 3 years ago in reply to FormerMember

Hi Harsh,

thanks for joining in.

I can't say much about the Linux kernel as it is - like Josef said - ancient (3.12.74-0.358283885.gbf77995.rb5-smp64). If you'd mind you could shed some light into the internal security auditing process.

Possible kernel vulnerabilities (usable for local privilege escalation):

CVE-2021-27365, CVE-2021-27363 and CVE-2021-27364

Apart from the kernel, there are numerous outdated software packages in use. Some of them exposed to the internet:

OpenSSL 1.0.2j-fips 26 Sep 2016

CVE-2021-23841

CVE-2021-23840

CVE-2021-23839

CVE-2020-1971 (this is awaiting follow-up by you in community thread https://community.sophos.com/utm-firewall/f/general-discussion/124658/openssl-null-pointer-reference-issue-cve-2020-1971)

OpenVPN 2.3.10 i686-suse-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun 29 2017

Maybe I've gotten so used to updating everything all the time, that it's kind of obscure for me to not patch the firewall.

Regards

Alex
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 asc_ over 3 years ago in reply to FormerMember

Hi Harsh,

thanks for joining in.

I can't say much about the Linux kernel as it is - like Josef said - ancient (3.12.74-0.358283885.gbf77995.rb5-smp64). If you'd mind you could shed some light into the internal security auditing process.

Possible kernel vulnerabilities (usable for local privilege escalation):

CVE-2021-27365, CVE-2021-27363 and CVE-2021-27364

Apart from the kernel, there are numerous outdated software packages in use. Some of them exposed to the internet:

OpenSSL 1.0.2j-fips 26 Sep 2016

CVE-2021-23841

CVE-2021-23840

CVE-2021-23839

CVE-2020-1971 (this is awaiting follow-up by you in community thread https://community.sophos.com/utm-firewall/f/general-discussion/124658/openssl-null-pointer-reference-issue-cve-2020-1971)

OpenVPN 2.3.10 i686-suse-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Jun 29 2017

Maybe I've gotten so used to updating everything all the time, that it's kind of obscure for me to not patch the firewall.

Regards

Alex
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 FormerMember over 3 years ago in reply to asc_

Hi asc_,

Here’s the update provided by the Sophos Product Team:

“We have an internal process in place to monitor for announced vulnerabilities & evaluate whether they affect our products, including the UTM (whether a vulnerability affects a product depends not just on the version of the component used, but also how it’s used). If the announced vulnerabilities do affect the UTM, we’ll further determine the severity of the vulnerability and how much of a risk it poses to our customers. We’ll then take appropriate action including releasing updates/patches for them. Since some of the open-source components used in the UTM are customized by Sophos, we may not address the vulnerabilities by upgrading the component, but backport & apply the appropriate patches instead. This means looking at the version numbers of components used on the UTM isn’t a good/accurate indicator of whether it’s vulnerable to specific vulnerabilities.

For example, CVE-2020-1971 will be patched in the upcoming UTM 9.706 release, which will be released in the coming weeks.”

Thanks,
Cancel
Vote Up +2 Vote Down

Cancel