Sophos UTM VPN TunnelCrack vulnerability

I have also already asked Sophos and created a support ticket for this.
Please create a ticket as well.

Hello IT-Admin007 

Good day and thanks for reaching out to Sophos Community. 

Could you share with us your caseID so we can also check back on our end. 

Hi DamoL ,

I may recommend you to log a support ticket to have this further investigated and please feel free to share with us the caseID once you have it so we can track progress on our side.

Many thanks for your time and patience and thank you for choosing Sophos. 

Cheers,

For me it seems this is a problem/vulnerabilitiy completely on client side - the routing is changed on client side so that the client don´t use the VPN anymore and instead send traffic directly. I don´t think this problem is directly related to Firewall/Sophos...

regards

Accurate.  However, Sophos now provides their own VPN client, so they are going to most likely be vulnerable potentially in that sense.

Case Number: 06906552

Hi Team, 

Many thanks for taking the time to share these caseIDs, we'll be tracking progress of these on our end. 

Cheers,

I now have a child case 06921669 in which Sophos UTM9 will be covered, while the parent case 06906552 will cover Sophos XG & Sophos Connect products

Thanks for taking the time to share it on the thread. 

Cheers,

So I have a reply to case 06921669 (just UTM):

-----------

Hi Damien,

here is the detailed analysis .

 

For UTM Site-to-site VPN client, while it’s not affected by the LocalIP Attacks, the ServerIP Attach could be an issue. With existing UTM configuration options, however, it can be remedied entirely when this is a concern.

LocalNet Attacks

As UTM is connected with physical Ethernet connections, there is no way for an adversary to add/modify UTM's internal routes as TunnelCrack paper suggested. It is possible to wire UTM to a wireless point. In this case, even if an adversary may be able to trick clients on the WIFI connection, it's within the WIFI, which should be addressed there, but UTM's routes will still not be affected.

ServerIP Attacks

It is unlikely that a UTM environment could be disrupted with a direct connection to the site-to-site VPN server. If this is the case, the UTM network is already in trouble. However, if it is possible for an adversary to spoof the DNS response to the client side of a UTM with a different IP address for the server UTM's URL, then the issue could be observed. In this case, the client UTM will send tunnel traffic including connection requests to a bad IP address. The good news is that there are two options within UTM that can be used to remedy this problem by avoiding client UTM to reply on DNS for server UTM's IP address.

1. On the server UTM side, add the server UTM’s IP in "Override hostname" option when creating a site-to-site SSL connection, as shown below. With this setting, the connection file downloaded for the client will contain the server UTM's IP address instead of its URL so that the client doesn't need to contact DNS for the record. (Note: this setting will affect both Remote Access and Site-to-site VPN connections).

2. On the client UTM side, add a new Network Definition for the server UTM’s URL with server’s IP address. Now, the client UTM will use this to get the server's IP address instead of querying DNS.




Thanks,
Bhagyesh Patel

--------------

I think these comments may also apply to SophosFirewallOS for site to site VPNs.

So now just waiting on the Sophos Connect clients impact.