Advisory (Update): Das aktuelle Sophos UTM/XG-Upgrade (v9.703, v18 MR1) nicht installieren!

Das Update behebt viele Fehler und teils Sicherheitslücken, ist also durchaus wichtig und richtig [1].

ABER: Es sollte unbedingt verhindert werden, dass das Update gestartet wird.

Nach der Installation kommt es bei sehr vielen Anwendern dazu, dass alle Netzwerkverbindungen unterbrochen werden. Extern wie auch intern. Somit werden auch die direkten Zugriffe zur Administration unterbunden – nur noch ein Zugriff per Konsole ist möglich.

Das Update führt also zu massiven Problemen oder das System kann quasi unbrauchbar werden. Es muss im schlimmsten Fall komplett neu installiert werden. Hierfür nehmen Sie bitte das aktuellste Backup zur Hand.

Mittlerweile hat Sophos die Updates zwar gesperrt bzw. zurückgenommen, aber durch Caching und Up2Date-Scheduling könnten diese Updates bereits lokal vorgehalten sein und so ungewollt die Upgrades gestartet werden.

[Temporarily Unavailable] UTM Up2Date 9.703 Released

Important Note

The Sophos UTM v9.703 release has been temporarily pulled.

Sophos has received reports from a subset of Sophos UTM v9.703 systems, where the update has caused issues with GUI access and traffic passing through the firewall. Sophos is actively working to resolve this issue with revised firmware. Please stay tuned for more information.

[Temporarily Unavailable] XG Firewall v18 MR1

Important Note

The XG Firewall v18 MR1 release has been temporarily pulled.

Sophos has received reports from a subset of XG Firewall v18 MR1 systems, where the update has caused issues with traffic passing through the Firewall. Sophos strongly advises that users roll back to v18.0 GA-Build354 while our development teams work to resolve this.

Was ist zu tun?

Sollten Sie das Upgrade bereits durchgeführt haben, bleiben prinzipiell nur diese Empfehlungen – UTM und XG unterscheiden sich hier etwas:

Die vorherige Version booten (XG) bzw. mit u.a. Pattern Update das bereits im Cache befindliche Update löschen lassen oder manuell löschen, damit nicht versehentlich noch auf diese Version aktualisiert wird. Bei massiven Problemen hilft nur ein kompletter Reset mit Neuinstallation auf Basis des letzten Backups. Bei Problemen mit UTM v9.703 eigentlich immer der Fall, leider.

Offiziell: Sophos hat nun mit diesen Empfehlungen reagiert:

Advisory: Sophos UTM – Traffic not passing after upgrading to v9.703

Advisory: Sophos XG Firewall – Traffic not passing after upgrading to v18 MR1

Hier wird bestätigt: Betroffene Systeme haben Probleme mit dem Zugriff auf den GUI-Webadministrator und dem Datenverkehr, der durch die Firewall geleitet wird.

Sophos arbeitet derzeit daran, dieses Problem zu untersuchen und zu beheben. UTM v9.703 und XG v18 MR1 wurden bis auf weiteres von den Up2Date-Servern entfernt.

In der Zwischenzeit wird Sophos ein Pattern Update veröffentlichen, um v9.703 von allen UTMs zu entfernen, die es bereits über die Up2Date-Server heruntergeladen haben.

Weiter empfiehlt Sophos den Benutzern dringend, ein Rollback auf Version XG 18.0 GA-Build354 durchzuführen.

Unterstützung

Die TO unterstützt Sie bei der Umsetzung der notwendigen Maßnahmen.

Melden Sie sich bei Ihrem bekannten Ansprechpartner oder telefonisch unter +49 711 88770-410.

Wir beraten Sie gerne zu den nächsten Schritten.

Hinweis für Kunden unserer Managed Services:

Die Service-Ansprechpartner wurden bereits gesondert über die speziellen Maßnahmen informiert.

[Update 23.04.2020] – Re-Releases UTM v9.703 verfügbar

Sophos hat das Update-Release UTM v9.703 korrigiert und neu bereitgestellt. Es sind seither keine der o.a. Probleme aufgetreten.

The code change for „NUTM-11173 [Basesystem] IPsec doesn’t re-connect on DHCP interface after firmware upgrade“ is reverted and a new version of UTM 9.703 is available at our download server.

There are two update packages available:

• One for customers, who are still on UTM 9.702 (u2d-sys-9.702001-703003.tgz.gpg) and
• One for customers, who have already updated to 9.703-2 (u2d-sys-9.703002-703003.tgz.gpg).

Both update will be available via our Up2Date server later.

Quellen:

https://community.sophos.com/products/unified-threat-management/b/blog/posts/utm-up2date-9-703-released

https://community.sophos.com/products/xg-firewall/b/blog/posts/xg-firewall-v18-mr1-is-now-available

https://community.sophos.com/kb/en-us/135383 /

https://community.sophos.com/kb/en-us/135378

[1]

UTM v9.703

Issues Resolved

• NUTM-9381 [Access & Identity] WebAdmin user getting an error while browsing ‚Sophos Transparent Authentication Status‘ tab
• NUTM-11258 [Access & Identity] [SAA] Wrong version of SAA displayed in Windows with MSI installer
• NUTM-11578 [Access & Identity] Patch strongSwan (CVE-2019-10155)
• NUTM-11589 [Access & Identity] [SAA] Add TLS 1.2 support for Windows client
• NUTM-11590 [Access & Identity] [SAA] Add TLS 1.2 support for macOS client
• NUTM-11675 [Access & Identity] Patch PPTP and L2TP pppd (CVE-2020-8597)
• NUTM-11109 [Basesystem] Status lights blinking green constantly on SG 1xx and XG 1xx series
• NUTM-11173 [Basesystem] IPsec doesn’t re-connect on DHCP interface after firmware upgrade
• NUTM-11255 [Basesystem] Fix „Internet IPv6“ binding in case of multiple IPv6 uplinks
• NUTM-11417 [Basesystem] SG115rev3 HA eth3 interface flapping after update to 9.7
• NUTM-11645 [Basesystem] Patch libxml2 (CVE-2019-19956, CVE-2020-7595)
• NUTM-11561 [Configuration Management] Unable to load certificate list in WebAdmin when large number of certificates present
• NUTM-10803 [Email] S/MIME signed mails have an invalid signature if 3rd party CA is used
• NUTM-11240 [Email] Recipient verification fails due to incomplete LDAP search query
• NUTM-11662 [Email] Bad request for release mails out of the quarantine report after update to 9.7 MR1
• NUTM-11485 [Kernel] Patch Linux Kernel (CVE-2019-18198)
• NUTM-11288 [Localization] AWS Current Stack link is incorrect
• NUTM-11081 [Network] Up-link balancing not clearing conntracks when interface goes down
• NUTM-11218 [Network] ulogd restarting/core-dumps
• NUTM-11614 [Network] Increase GARP buffer
• NUTM-11676 [Network] Patch pppd (CVE-2020-8597)
• NUTM-11573 [RED] RED interface doesn’t obtain IP after UTM reboot
• NUTM-11467 [RED_Firmware] RED15w WPA/WPA2 enterprise cannot connect
• NUTM-11822 [RED_Firmware] RED15 firmware update might fail if flash has bad blocks
• NUTM-11378 [Reporting] Top5 Malware won’t be displayed in Executive Reports if those are sent as PDF
• NUTM-11220 [Sandstorm] When opening Sandstorm activity which contains Korean characters for example, you get this error „cannot decode string with wide characters at encode.pm line 174“
• NUTM-10202 [UI Framework] [SAA] Live user table doesn’t scale with very long names
• NUTM-11084 [UI Framework] Webadmin Information popup not visible
• NUTM-11191 [UI Framework] Can’t download certificate in WebAdmin when name contains apostrophe
• NUTM-11584 [UI Framework] Replace FTP Up2date download link in WebAdmin with HTTPs
• NUTM-11598 [UI Framework] Internal Server Error alert thrown with initial Webadmin request after installation
• NUTM-11725 [UI Framework] Update prototype
• NUTM-11130 [Web] Add configuration for savi_scan_timeout
• NUTM-11346 [Web] Warn page proceed fails due to missing parameters
• NUTM-10269 [Wireless] SSID stops broadcasting
• NUTM-11581 [Wireless] User with „Wireless Protection Manager“ rights is unable to change wireless settings if mesh is configured

XG v18 MR1

Enhancements

• Supports new SD-RED 20 and SD-RED 60 devices.
• XG Firewall web console now shows granular reasons for firmware upload failure
• Plus, more than 45 issues resolved in this release (refer Issues Resolved section below)
• With the tremendous need for VPN connectivity in this challenging time, we have put together some important information here for you to achieve your networking needs:
  1. To configure VPN Remote Access on your Sophos XG Firewall. Check out this useful Community post!
  2. To substitute XG for RED devices via Light-Touch deployment from Sophos Central. Check out this useful Community post!

Issues Resolved

• NC-30903 [Authentication] STAS configuration is editable via GUI on AUX machine
• NC-50703 [Authentication] Access server restarted with coredump using STAS and Chrome SSO
• NC-50716 [Authentication] Cannot import LDAP server via XMLAPI if client cert is „None“
• NC-54689 [Authentication] Support download certificate for iOS 13 and above
• NC-55277 [Authentication] Service „Chromebook SSO“ is missing on Zone page
• NC-51660 [Backup-Restore] Restore failed using a backup of XG135 on SG230 appliance
• NC-55015 [Bridge] Wifi zone is not displayed while creating bridge
• NC-55356 [Bridge] TCP connection fails for VLAN on bridge with HA Active-Active when source_client IP address is odd
• NC-52616 [Certificates] Add support for uploading of CRLs in DER format
• NC-55739 [Certificates] EC certificate shows up as „RSA“ in SSLx CA cert dropdowns
• NC-55305 [CM (Zero Touch)] System don’t restart on changing time zone while configured through ZeroTouch
• NC-55617 [CM (Zero Touch)] Getting wrong error message in log viewer after ZeroTouch process
• NC-55909 [Core Utils] Unable to see application object page on SFM
• NC-30452 [CSC] Dynamic interface addresses not showing on Aux after failover
• NC-54233 [CSC] EpollWorker coredump
• NC-55386 [Dynamic Routing (PIM)] PIM-SM import fails with LAG as dependent entity
• NC-55625 [Dynamic Routing (PIM)] In HA with multicast interface, routes are not getting updated in the Aux routing table
• NC-55461 [Email] After adding/edit FQDN host with smarthost, it is not displayed on the list until refresh the page
• NC-58898 [Email] Potential RCE through heap overflow in awarrensmtp (CVE-2020-11503)
• NC-55635 [Firewall] Display filter for forwarded is not working properly on packet capture page
• NC-55657 [Firewall] HA backup restore fails when port name is different in backup and appliance
• NC-55884 [Firewall] IPS policy id and appfilter id not displaying in firewall allow log in logviewer
• NC-55943 [Firewall] Failed to resume existing connection after removal of heartbeat from firewall configuration
• NC-57084 [Firewall] Custom DMZ not listed in dedicated link HA configuration
• NC-44938 [Firmware Management, UX] Web UI does not surface reasons for firmware upload failure
• NC-55756 [Gateway Management] Gateway isn’t deleted from SFM UI after deleting it from SFM
• NC-55552 [HA] WWAN interface showing in HA monitoring ports
• NC-55281 [Import-Export Framework] Full configuration import fails when using third party certificate for webadmin setting
• NC-55171 [Interface Management] VLAN Interface IP is not assigned via DHCP when gateway name uses some special characters
• NC-55442 [Interface Management] DNS name lookup showing incorrect message
• NC-55462 [Interface Management] Import fails on configuring Alias over VLAN
• NC-55659 [Interface Management] Invalid gateway IP and network IP configured using API for IPv6
• NC-56733 [Interface Management] Patch PPPd (CVE-2020-8597)
• NC-51776 [IPS Engine] Edit IPS custom rule protocol doesn’t work after creation
• NC-51558 [IPsec] Add warning message before deleting xfrm ipsec tunnel
• NC-55309 [Logging] Local acl rule not created through log viewer for IPv4 and IPv6
• NC-50413 [Logging Framework] Gateway up event log for PPPoE interface not always shown in logviewer
• NC-55346 [Logging Framework] Clear All for „Content filtering“ does not clear SSL/TLS filter option
• NC-56831 [Policy Routing] SIP traffic sometimes not working with SDWAN policy route
• NC-46009 [SecurityHeartbeat] Spontaneous reconnects of many endpoints
• NC-51562 [SecurityHeartbeat] Heartbeat service not started after HA failover
• NC-52225 [Synchronized App Control] SAC page loading issues as the list of apps increases
• NC-54078 [UI Framework] Internet Explorer UI issue on certain rules and policies pages
• NC-56821 [Up2Date Client] SSL VPN downloading with the 0KB
• NC-54007 [Web] File type block messages sometimes contain mimetype rather than file type