User Portal disabled across multiple XG firewalls by CLI user

Hi,

which version of XG are you using?

Ian

The problem is not specific to a firmware revision or model, different firmware versions and models affected simultaneously

Hi,

okay are we talking all v17 or some v18?

If they are all v17 does the notification at the top the forums apply?

Ian

Same here for > 20 devices with V17.x

Hi S248

As a general best security practice to reduce attack surface wherever possible, Sophos recommends disabling any unused services on the WAN interface.

Until recently, the user portal was enabled on the WAN interface by default for XG firewall. From v17.5 MR12 and v18 MR1 the default value was changed from enabled to disabled for the brand new installs. For any customer upgrading an existing deployment to these releases (or later), the current settings remained unchanged.

In a recent hotfix, Sophos performed a one-time update to disable the User Portal on the WAN interface if it was not actively being used by customers. This determination was made on-box.

If it has been disabled, and you actively need/use it, please enable it and it will remain enabled.

We're also starting to see our customer's XGs disable the User Portal for deployments that do use this. Do you know how are Sophos working this out to then apply this change?

Hello Parth,

Sophos should absolutely not be dictating how things should be done by just doing it themselves and pushing out hidden hotfixes or changes which modify the functionality of our Customer firewalls without express notice. A vendor should only make recommendations and best practices on how the firewalls should be configured, if you want to take this route of modifying Customer firewalls without their or the Partners express consent, then you need to be far more up front.

I have 4 firewalls in the past 24 hours that have had the User Portal disabled, of which two were my own where I use to access my home and cloud servers via the RDP bookmarks and to get my SSL VPN configuration. Another Customer distributes SSL VPN via their User Portal. These are just the first 4 I had access to.

What was the criteria and why was there not notification in the message center? You cannot take liberties with my Customer firewalls.

I am now going to have to send out an email to all our Customers asking to double check their User Portal if it needs to be accessible from the WAN and re-enable due to this brazen action by yourselves wherein the criteria is not obvious and was not expressly stated, this was extremely unprofessional from Sophos and the decision makers. Unfortunately, at this time, the only "official" communication is from you.

I will be raising this as a complaint and adding any of our Customer names who wish to follow this up to it as well.

If you wish to follow this up privately, please feel free to email me.

Emile

Please see: https://community.sophos.com/b/security-blog/posts/advisory-buffer-overflow-vulnerability-in-user-portal

Ok.  But we need far more explanations on what's happening behind the scene to first judge if that was necessary.  But also, and most importantly ascertain risks we face if we ever put Users Portals enabled again.

The CVE linked posted by Sophos is actually inexistent.

We can’t work blinded that way.

Paul Jr

We're seeing 2 major issues with this hotfix.

• User Portals are being disabled when they are in heavy use as our student body is heavy relaying on them during COVID.
• The SSL certificate being returned now is a completely and utterly random certificate (not even installed on the Sophos), and not what is installed or selected in Administration > Device Access > Certificate.

For one of our appliances, we are now getting back one of our vSphere certificates.

What the hell Sophos?