Sophos Security Advisory for Sophos Central Server: Message Relay

Sophos uses Apache in its Message Relay feature; the use of Apache leads to requests about exposure when vulnerabilities are reported in certain Apache modules. This article provides details as to which modules are used by the Message Relay feature

Applies from the following Sophos product(s) and version(s)

Central Server Message Relay 1.0.13

Apache Modules used by Message Relay:

  • mod_access_compat
  • mod_authz_core
  • mod_env
  • mod_log_config
  • mod_logio
  • mod_proxy
  • mod_proxy_connect
  • mod_unique_id

Our custom modules:

  • mod_proxy_connect_v2
  • mod_message_relay

Known Issues

The Message Relay feature is currently using Apache 2.4.37, Message Relay v1.2.5.0; this version of Apache has the following issues:

  • CVE-2018-17189 : mod_http2
  • CVE-2018-17199 : mod_session_cookie
  • CVE-2019-0190 : mod_ssl
  • CVE-2019-0196 : mod_http2
  • CVE-2019-0197 : mod_http2
  • CVE-2019-0211 : Unix only
  • CVE-2019-0215 : mod_ssl
  • CVE-2019-0217 : mod_auth_digest
  • CVE-2019-0220 : core

Sophos Message Relay does use modules affected by the CVE-2019-0220 vulnerability, however, as changes are only possible via Sophos Central, and the Message Relay config files are tamper protected we mitigate the risk. We are planning to upgrade the version of Apache to v2.4.39 which addresses all of the above vulnerabilities We will update this article with dates for the release once we have them.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

[BLUE][ESG][Central][MacOS] – Higher than usual CPU usage by SophosScanD and SophosEventMonitor

In version 9.9.0 of Central Mac Endpoint, we introduced a change to our caching in order to improve performance after updates. We have had some reports and found some indications that some systems are seeing increased SophosScanD and SophosEventMonitor CPU usage, which is resulting in systems having less battery life, or slow performance.

These systems have been typically laptops running on battery (lower battery life) and Macs with non-solid state disks (slow performance).

Update June 21, 2019:

Central Mac Endpoint version 9.9.2 is rolling out from June 25-July 9. It contains changes which include reverting the caching to the 9.8.3 version and an improvement to SophosEventMonitor.

Applies to the following Sophos product(s) and version(s)

Sophos Cloud Managed Endpoint 9.9.0 (Mac)

Higher CPU usage by SophosScanD and SophosEventMonitor, resulting in reduced battery life and poor performance on spinning hard disk machines.

Fixed in version 9.9.2, releasing between June 25 and July 9, 2019.

Our software will update automatically when this is available. If you need a workaround ahead of these dates, please contact Sophos Support.

This article will be updated when information becomes available.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Resolved – Advisory: Sophos XG Firewall – Exim Remote Code Execution vulnerability

Sophos is aware of a vulnerability in the 3rd party component Exim that is used in Sophos XG Firewall. This vulnerability only applies if a customer has enabled email protection and recipient verification is disabled. This article describes the recommended steps to secure the XG Firewall if customers are using the email protection functionality.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos XG Firewall version 17.5.5.433, 17.5.3.372, 17.5.4.429, 17.5.0.321 and 17.5.3.347.

CVE-2019-10149: Exim RCE described here.

The following XG Firewall versions are impacted if email protection is used and Recipient verification is not turned on.

  • SF 17.5.5.433
  • SF 17.5.3.372
  • SF 17.5.4.429
  • SF 17.5.0.321
  • SF 17.5.3.347

To verify your Firewall firmware and build versions, use the following console command:

system diagnostics show version-info

To prevent the Exim Remote Code Execution (RCE), XG admin could configure XG Firewall more securely. Log in to XG webadmin console and do the following for each active SMTP policy:

  • Enable Recipient verification – via call out method or via Active directory lookup whichever is applicable to your internal domain.

A hotfix has been released and pushed to all affected XG Firewalls.

To validate that your XG Firewall has received the hotfix, run the following console command:

system diagnostics show version-info

The Hot Fix version should be 7.

Note: Other Sophos email protection products such as Sophos Email Appliance and Sophos UTM were both not affected by this vulnerability. Sophos Email Appliance uses Postfix. Sophos UTM also uses Exim but the version is different and it is not affected by CVE-2019-10149.

Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos Anti-Virus for Linux and for UNIX: Communication with Sophos Update Server uses HTTPS by default

This article is to advise that Sophos Anti-Virus (SAV) for Linux and for UNIX will use TLS secure protocol HTTPS to communicate with the online Sophos Update Servers.

The following sections are covered:

Applies to the following Sophos products and versions

SAV for Linux 10.4.0

SAV for Linux 10.4.1

SAV for Unix 9.15.0

SAV for Unix 9.15.1

From version 10.4 and 9.14.2 of SAV for Linux, SAV will use the secure TLS HTTPS protocol for communicating with the configured Update Server. This also applies to Enterprise Managed and standalone installations of SAV for Linux and SAV for UNIX, where updates are configured to the Sophos online Update location.

If an HTTPS connection cannot be established after a 10 minute timeout, it switches back to an HTTP connection automatically.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory: Sophos Central Maintenance scheduled for Saturday June 22nd, 2019

Sophos Central Engineering will be performing routine maintenance to Sophos Central on Saturday June 22nd, 2019 starting at 13:00 (UTC). Expected time to complete maintenance is five hours.

  • There will be no disruption to protected endpoints during this time period.
  • This KBA and Sophos StatusCast page will reflect status of maintenance once started as in progress and then when it is completed

Applies to the following Sophos products and versions

Sophos Central Enterprise Dashboard

Sophos Central Partner

Sophos Central Admin

Customers will see a banner show up in their Central Admin Dashboard indicating there is maintenance occurring and will be displayed throughout the maintenance period.

While we do not anticipate any interruption or degradation of service during the maintenance update, in some instances a customer may experience the following:

  • May be auto logged out of Central portal
  • New endpoint installations may take longer to complete.
  • May experience temporary latency within Central UI portals.
  • May experience a delay in policy rendering.

Should the above occur, please try again shortly and or once the Central maintenance has completed.

Upon the conclusion of the maintenance, the maintenance banner within the UI will be removed and the “What’s New” section in Sophos Central will be updated accordingly.

Sign up for the Sophos Support SMS Notification Service to get the latest product release information and critical issues.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Central Admin – Some customers have reported performance issues within the People and Devices sections

Update June 18th – Update date changed from TBD to this Saturday the 22nd

  • The update that occurred during the week of June 3rd – resolved the performance issue when searching and opening devices/people.
  • An update scheduled on June 22nd will help to improve initial page loading for People/Devices for customers with large amounts of devices/users. Expectation = ~5 seconds per 10k items (note this does not include network time, this is the UI display time after the data is received). Currently we are seeing the initial load taking longer than expected.
  • A second update is scheduled for July 28th which is expected to bring further performance improvements overall with the bulk People and User pages.

Original alert:

Sophos is currently investigating reports from some customers experiencing slow performance within the ‘People/Users’ and ‘Devices/Computers’ sections of the Sophos Central Dashboard.

Reported performance issues are experienced when certain actions, such as searching and opening users/devices, are taking ~5 to 10 seconds or more for some customers within the following sections:

  • Main Overview pages:
    • People = https://cloud.sophos.com/manage/bulk-users
    • Devices = https://cloud.sophos.com/manage/bulk-computers
  • This will also include the People/Device/Computer pages that also reside within other Sophos Central Product sections, such as Endpoint/Server/Encryption/etc.

Applies to the following Sophos product(s) and version(s)

Sophos Central Admin

Some Sophos customers may experience slower than expected performance while trying to work (search/open) within People and Device sections within Sophos Central.

Update June 18th – Update date changed from TBD to this Saturday the 22nd

  • The update that occurred this week (week of June 3rd) – resolved the performance issue when searching and opening devices/people.
  • An update scheduled on June 22nd will help to improve initial page loading for People/Devices for customers with large amounts of devices/users. Expectation = ~5 seconds per 10k items (note this does not include network time, this is the UI display time after the data is received). Currently we are seeing the initial load taking longer than expected.
  • A second update is scheduled for July 28th which is expected to bring further performance improvements overall with the bulk People and User pages.

If you are impacted by this performance issue, there are no actions that need to be taken. We will continue to update this article with any new information related to the resolution of this issue.

  • Note: If you are experiencing this issue and it is much worse than the 5~10 seconds per action delay, please raise a support case to our Technical Support team referencing this article so that further investigation can be performed.

If you are experiencing a different issue that is not related to the Users or Devices pages, please raise a support case to our Technical Support team for assistance/investigation.

This article will be updated when more information becomes available

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory: Security update for users of Web Application Firewall (WAF) in Sophos XG Firewall

A cross-site scripting (XSS) vulnerability within the WAF component of the Sophos XG Firewall operating system (SFOS) has been discovered.

An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. The vulnerability could be used for unauthenticated remote code execution. Our investigations have found no evidence of the vulnerability being exploited.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Firewall

For customers running SFOS version 16 and above that use the default setting of automatic updates, the security update will be automatically installed, and there is no action required.

Customers who have changed their default settings will need to apply the update manually.

Customers who do not have the WAF turned on are not vulnerable but will proactively receive the security update.

Remediation

SFOS version Security update distributed
Version 16.01 and above

Version 17 (all releases)
December 29, 2017
Version 15 (all releases) Upgrade to current SFOS version
  • What products are affected?
    • Firewall and UTM appliances running SFOS (could be running Sophos or Cyberoam hardware)
  • Which product versions are affected?
    • All versions of SFOS
  • Exception
    • Sophos UTM customers who are not running SFOS
    • Cyberoam customers who are not running SFOS

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Updated Advisory: Sophos Central Maintenance previously scheduled for Saturday June 15th, 2019 has been postponed

6/14/19 update: The scheduled maintenance referenced in this article has been postponed and will not take place this Saturday. We will update this Article when this maintenance has been rescheduled.

Original advisory:

Sophos Central Engineering will be performing routine maintenance to Sophos Central on Saturday June 15th, 2019 starting at 13:00 (UTC). Expected time to complete maintenance is five hours.

  • There will be no disruption to protected endpoints during this time period.
  • This KBA and Sophos StatusCast page will reflect status of maintenance once started as in progress and then when it is completed

Applies to the following Sophos products and versions

Sophos Central Enterprise Dashboard

Sophos Central Partner

Sophos Central Admin

Customers will see a banner show up in their Central Admin Dashboard indicating there is maintenance occurring and will be displayed throughout the maintenance period.

While we do not anticipate any interruption or degradation of service during the maintenance update, in some instances a customer may experience the following:

  • May be auto logged out of Central portal
  • New endpoint installations may take longer to complete.
  • May experience temporary latency within Central UI portals.
  • May experience a delay in policy rendering.

Should the above occur, please try again shortly and or once the Central maintenance has completed.

Upon the conclusion of the maintenance, the maintenance banner within the UI will be removed and the “What’s New” section in Sophos Central will be updated accordingly.

Sign up for the Sophos Support SMS Notification Service to get the latest product release information and critical issues.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory: Sophos Central – MFA option disabled after changes were made to their login and sync d via the Central AD-Sync utility.

Note: This was fixed in a May 22nd release, but understand that this may still be occurring.

Sophos is investigating an issue between Central Admin AD sync utility and MFA enabled Central Administrators (eg. Read only, Helpdesk, Admin, or Super Admin).

Some customers are reporting that after changes are made to a Central Login that has Central Multi-Factor Authentication (MFA) enabled (either a change within Central itself, or change within Active Directory) – the MFA requirement for login is being incorrectly disabled. When this happens, users will only be asked for their Central Login.

Some of the changes to login records that may trigger this issue after re-syncing via the Central AD sync utility include:

  • Adding, or removing user from groups (AD)
  • Adding, or removing email aliases (AD)
  • Changing email, or login info (AD)
  • Changing name (AD)
  • Editing logins (Central)

Applies to the following Sophos product(s) and version(s)

Sophos Central Admin

  • Affects Central Admin customers that use MFA login option AND use the Central AD sync utility AND a change has been made to that users record within either Active Directory or within Central Dashboard.
    • Affected Central logins that had MFA previously enabled, will be able to login with just their Central login password.
  • There are no errors or indication when this issue occurs. An administrator will only notice that they are no longer being asked to enter MFA when logging into Sophos Central.

Development is aware and currently working on a resolution.

  • Until this issue is resolved, Sophos recommends not making any changes to a users record within Active Directory or within Central Admin if they also have MFA Central login enabled.
    • Federated/Azure logins are not affected by this.
  • Affected customers should follow the ‘Workaround‘ section below.
  • Turn off and re-enable MFA for the affected user(s).
    • Any user who was affected will be re-prompted to set up MFA again on next login
    • Any user who was not affected, will not see any changes.
  • To do this, go to Global Settings–>Multi-Factor Authentication (MFA) which is under the ‘General‘ section.

    Note: that this Global setting is available to Super Admin level logins only.

    • Whether you currently have the option ‘All admins need MFA‘ or ‘Select admins who will need MFA‘ selected, perform the following steps:
      • Turn off MFA (the first radio button)
      • Choose the ‘Save’ button.
      • Until issue is resolved, make any changes you need for your users with MFA logins and perform an AD sync before re-enabling MFA.
      • Re-enable the MFA option you had previously selected (previously selected admins are remembered)
      • Choose the ‘Save button.
    • Any impacted Admins will now be prompted to re-set up MFA during the next login to Central Admin.

This article will be updated when more information becomes available

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown, Spectre and ZombieLoad)

[LAST UPDATED August 7th 2018 – 11:27 UTC]

This article describes the implications, for Sophos customers, of the Kernel memory leak issues being discussed in the media, and which are addressed in patches that were released ahead of schedule by Microsoft on 03 Jan 2018, as well as by patches to Apple and Linux. This article will continue to be updated when new information becomes available.

The following sections are covered:

The vulnerability involves a kernel memory leak known by names such as KPTI, KAISER and F**CKWIT. Additionally new research published on 03 Jan 2018 provides details of exploits that utilize this vulnerability, known as Meltdown and Spectre. The Sophos Naked Security blog has posted more details on this issue here.

  • For Microsoft products the vulnerabilities are addressed in patches that were released ahead of schedule by Microsoft on 03 Jan 2018, see security advisory ADV180002 for details.
  • For Apple products see the following statement: About speculative execution vulnerabilities in ARM-based and Intel CPUs
  • Patches are available for Linux systems, we advise you to speak to your Linux Kernel vendor for more information.

Sophos Endpoint customers

On 03 Jan 2018 Microsoft released a Security Advisory (ADV180002) which includes advice on this vulnerability and links to security updates.

The Microsoft article advises you contact your Anti-Virus vendor to confirm that their software is compatible with the patch and also sets a specific registry key.

Sophos has completed testing of installing the patch and setting the registry key and can confirm no compatibility issues were seen. We will begin to automatically add the registry key in updates to the following Sophos Endpoint/Server products starting 05 Jan 2018:

  • Sophos Central Endpoints/Servers
  • Sophos Enterprise Console Endpoints/Servers
    • Preview subscription
    • Recommended subscription
    • Previous Recommended subscription
  • Sophos Endpoint Standalone
  • Sophos Virtual Environment (SVE)
  • UTM Managed Endpoints
  • Sophos Home

IMPORTANT: For server operating systems, Microsoft states “Customers have to enable mitigations to help protect against speculative execution side-channel vulnerabilities”. To enable the mitigations Microsoft customers need to enable three additional registry keys, these may cause performance issues and will not be set by Anti-Virus vendors. For more information see: Windows Server guidance to protect against speculative execution side-channel vulnerabilities.

NOTE: For Sophos Central customers currently enrolled in the Early Access Program (EAP) please see this article: Meltdown and Spectre – The chip bugs and Intercept X Early Access Program

For customers running Sophos Intercept X and/or Sophos Device Encryption only (ie without Sophos Anti-Virus), alongside a 3rd party Anti-Virus product. Please contact the 3rd party Anti-Virus vendor to check their compatibility with the Microsoft patch and if they have set the required registry key.

How to check if you have had the Sophos update

For customers who wish to confirm the Sophos update has been applied please see this article: Kernel memory issue affecting multiple OS: How to confirm you have the Sophos update.

Sophos Central customers using Controlled Updates will not receive the Sophos update that automatically sets the registry key. If you require the Microsoft patch using Windows Update, you can choose to Resume Automatic Updating to receive the Sophos update that sets the registry key, or manually apply the registry key via your own method (eg GPO, Script, Regedit).

Sophos Enterprise Control (SEC) customers using Fixed Extended subscriptions prior to 10.7.6 will not receive the Sophos update that automatically sets the registry key. If you require the Microsoft patch using Windows Update, you can choose to move to a subscription that does contain the update, or manually apply the registry key via your own method (eg GPO, Script, Regedit).

NOTE: Sophos has tested the compatibility of our products with the Microsoft patch, however you may be running 3rd party software that is not compatible with the patch. We recommend contacting your 3rd party vendors to confirm their compatibility.

Customers wishing to apply the patch now, ahead of the Sophos update can set the registry key manually as described in the Microsoft article: ADV180002. Alternatively you can manually download and apply the patch without the registry key.

Please note that Microsoft states “you may also need to install firmware updates from your device manufacturer for increased protection. Check with your device manufacturer for relevant updates.”. For more information see Microsoft article: Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities. We recommend that you test any firmware updates before deploying to your live environment.

Sophos Network customers

Listed below are Sophos network security products that utilize CPUs known to be vulnerable to these issues.

  • Sophos XG Firewall (Sophos Firewall OS) 16.5 and 17 (XG Series)
  • Sophos UTM (SG series) 9.5
  • Sophos Firewall Manager (SFM) 16.5
  • Sophos Web Appliance (SWA) 4.3.4
  • Sophos iView 3.0.1.1
  • Sophos Email Appliance (SEA)
  • Sophos RED
  • Cyberoam OS 10.6.6
  • Cyberoam Central Console 02.04.0 build 249
  • Cyberoam iView 0.1.2.8

These products require no patches or fixes for these CVE vulnerabilities based on the assessment that access to the appliance OS to load external code is restricted, therefore malicious code cannot be executed. We recommend to follow best practices to protect the access of privileged accounts.

At present there are three vulnerabilities linked to the kernel memory leak issue, these are:

Currently there are no known malicious threats exploiting these vulnerabilities. Sophos has released protection to help protect against this happening in the future. This protection will continue to be updated.

Threat name Sophos IDE Protection availability
Publication started Publication finished
Mal/Spectre-B zbot-lvw.ide 2018-01-05 00:20 UTC 2018-01-05 02:23 UTC
Mal/Spectre-C
zbot-lvw.ide 2018-01-05 00:20 UTC 2018-01-05 02:23 UTC
Mal/Spectre-D
zbot-lvw.ide 2018-01-05 00:20 UTC 2018-01-05 02:23 UTC
Mal/Spectre-E
netwi-md.ide 2018-01-05 06:58 UTC 2018-01-05 09:00 UTC
OSX/Spectre-B netwi-md.ide 2018-01-05 06:58 UTC 2018-01-05 09:00 UTC
Mal/Spectre-A age-axyx.ide 2018-01-05 18:31 UTC
2018-01-05 20:34 UTC
JS/Spectre-A pdfu-dwf.ide
2018-01-06 07:35 UTC
2018-01-06 09:37 UTC
Mal/Meltdown-A msilk-al.ide
2018-01-06 12:33 UTC
2018-01-06 14:36 UTC
Mal/Meltdown-B msilk-al.ide
2018-01-06 12:33 UTC
2018-01-06 14:36 UTC
Mal/Meltdown-C inje-cyk.ide 2018-01-09 07:05 UTC
2018-01-09 09:08 UTC
Mal/Meltdown-D delf-gmj.ide
2018-01-10 04:57 UTC
2018-01-10 07:00 UTC

Sophos XG Firewall and Cyberoam IPS signatures have been added to protect against the specific CVE’s and sample code outlined in the Spectre and Meltdown whitepapers, and we will continue to update the IPS patterns as new variants are discovered, however we still recommend patches be applied to all affected systems as soon as they are available.

To ensure you have the latest protection please see this article: Sophos products: How to check if the product is up to date

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts