Advisory: CVE-2019-17059: Cyberoam Firewall Remote Code Execution Vulnerability

A critical shell injection vulnerability in Sophos Cyberoam Firewall appliances running CyberoamOS (CROS) version 10.6.6 MR-5 and earlier was recently discovered and responsibly disclosed to Sophos by an external security researcher.

The vulnerability can be potentially exploited by sending a malicious request to either the Web Admin or SSL VPN consoles, which would enable an unauthenticated remote attacker to execute arbitrary commands.

Applies to the following Sophos products and versions

Cyberoam Firewalls running CROS 10.6.6 MR-5 and earlier

  • For customers running CROS version 10.6.4 and later, who use the default automatic updates setting, the security update has been automatically installed since September 30, 2019 and there is no action required.
  • For customers who keep automatic updates disabled or otherwise cannot receive them, the patch is available via Sophos Support.
  • The hotfix for the vulnerability will also be included in CROS version 10.6.6 MR-6.

Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Exim CVE-2019-15846 and Sophos Products

This article provides information on Exim vulnerability CVE-2019-15846 and how it impacts Sophos products

Applies to the following Sophos product(s) and version(s)

PureMessage for Unix

Sophos Central Email

Sophos Email Appliance

Cyberoam

Sophos UTM Software Appliance

PureMessage for Microsoft Exchange

Reflexion

CVE-2019-15846 outlines a vulnerability in Exim whereby a specially crafted SNI ending can be utilized to run arbitrary code on the vulnerable server

This vulnerability is not exploitable on any Sophos products, see the table below for more information.

Sophos Email Products and CVE-2019-15846

Product Vulnerable Further information
Sophos XG Firewall No The TLS headers that are used to exploit this vulnerability are stripped by the product before reaching the vulnerable Exim code. *
Sophos UTM No The TLS headers that are used to exploit this vulnerability are stripped by the product before reaching the vulnerable Exim code. *
Sophos Email on Central No Product doesn’t utilize Exim
Sophos Email Appliance No Product doesn’t utilize Exim
Puremessage for Unix No Product doesn’t utilize Exim
Puremessage for Exchange No Product doesn’t utilize Exim
Cyberoam No Product doesn’t utilize Exim
Reflexion No Product doesn’t utilize Exim


* Despite this vulnerability not being exploitable due to the current architecture of the Sophos XG and Sophos UTM products, we do still plan on releasing a patch for Exim on these platforms in an upcoming Maintenance Release.

Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory: TCP SACK PANIC kernel vulnerability

Overview

This article outlines the details of the TCP SACK PANIC kernel vulnerability and how it impacts Sophos products.

Three related flaws were found in the Linux kernel’s handling of TCP Selective Acknowledgement (SACK) packets handling with low MSS size.

These have been assigned the following CVEs:

  • CVE-2019-11477 is considered an Important severity
  • CVE-2019-11478 and CVE-2019-11479 are considered a Moderate severity

Applies to the following Sophos products and versions

Product Affected Release Plan
Sophos XG Firewall Yes Fixed version XG v17.5MR-7 Released
Sophos UTM Yes Fixed version UTM 9.604 Released
Cyberoam Yes End of July
Sophos Firewall Manager No
Sophos UTM Manager Yes Fixed version SUM4.309 Released
Sophos Email Appliance No
Sophos Web Appliance Yes

Fixed version 4.3.8.1

Released

Sophos RED No
Sophos AP/APX No
Sophos iview No
Sophos Central Firewall Manager No
Sophos for Virtual Environments Yes Mid of July

Impact

CVE-2019-11477

  • A remote attacker could exploit this to crash the system resulting in a Denial of Service.

CVE-2019-11478

  • The Linux kernel is vulnerable to a flaw that allows attackers to send a crafted sequence of SACKs which will fragment the TCP retransmission queue. This could cause the CPU to spend an excessive amount of time attempting to reconstruct the list, resulting in a Denial of Service.

CVE-2019-11479

  • The Linux kernel is vulnerable to a flaw that allows attackers to send crafted packets with low MSS values to trigger excessive resource consumption. The system will then work at reduced capacity resulting in a Denial of Service for some users.

What to Do

Sophos is actively working to resolve this issue with high priority.

In the meantime, users can follow the workaround instructions outlined below.

Workaround

To resolve this vulnerability while a permanent fix is being developed, users can disable selective acknowledgments system-wide for all newly established TCP connections.

Sophos XG Firewall

Disable selective acknowledgements in the console. This workaround is reboot-persistent.

Note:Disabling SACK may reduce performance in case of packet loss.

  • Log into XG Console > Select Option 4
    • set advanced-firewall tcp-selective-acknowledgement off
  • To verify:
    • show advanced-firewall

      TCP Selective Acknowledgements: off

Update: SFOS version 17.5 MR7 resolves this vulnerability. If the workaround mentioned above was already implemented in your XG Firewall and then you upgraded to version 17.5 MR7, enable the TCP SACK by running the command set advanced-firewall tcp-selective-acknowledgement on.

Sophos UTM

There are two available workarounds that are reboot-persistent. Each workaround has caveats. Users may prefer one workaround over the other.

  1. Limiting MSS size which works for all three CVEs
  2. Disabling Selective Ack which only resolves CVE-2019-11477 (critical) and CVE-2019-11478

Limiting MSS Size

This workaround mitigates all three CVE vulnerabilities.

Note: A side effect of this change is that it may disrupt legitimate traffic that relies on low MSS values.

  • Disable MTU probing:
  • echo "net.ipv4.tcp_mtu_probing = 0" >> /etc/sysctl.conf
  • sysctl -p
  • Add the following line to /var/mdw/etc/iptables/iptable.filter after (:USR_OUTPUT - [0:0]) line at line 29 for UTM v9.603:
  • -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP

Related:

Advisory: Security update for users of Web Application Firewall (WAF) in Sophos XG Firewall

A cross-site scripting (XSS) vulnerability within the WAF component of the Sophos XG Firewall operating system (SFOS) has been discovered.

An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. The vulnerability could be used for unauthenticated remote code execution. Our investigations have found no evidence of the vulnerability being exploited.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Firewall

For customers running SFOS version 16 and above that use the default setting of automatic updates, the security update will be automatically installed, and there is no action required.

Customers who have changed their default settings will need to apply the update manually.

Customers who do not have the WAF turned on are not vulnerable but will proactively receive the security update.

Remediation

SFOS version Security update distributed
Version 16.01 and above

Version 17 (all releases)
December 29, 2017
Version 15 (all releases) Upgrade to current SFOS version
  • What products are affected?
    • Firewall and UTM appliances running SFOS (could be running Sophos or Cyberoam hardware)
  • Which product versions are affected?
    • All versions of SFOS
  • Exception
    • Sophos UTM customers who are not running SFOS
    • Cyberoam customers who are not running SFOS

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Cyberoam: How to configure SSL VPN over IPsec site-to-site VPN

This article describes the steps of creating a point-to-point encrypted tunnel between a remote user and a company’s internal network as well as the end-to-end security of peer-to-peer connection using a combination of SSL certificates and a username/password for authentication.

The following sections are covered:

Applies to the following Sophos products and versions

Webform – XG Firewall

Configuration parameter Value
SSL VPN range 10.81.234.5-10.81.234.55 (10.81.234.0/24)
Local LAN network (Cyberoam1) 192.168.31.0/24
Remote LAN network (Cyberoam2) 192.168.1.0/24
Local WAN endpoint (Cyberoam1) 202.160.165.92
Remote WAN endpoint (Cyberoam2) 59.181.97.115

Cyberoam1 (Baroda) configuration: 192.168.31.0/24

  1. Generate default Certificate Authority.

To generate the default Certificate Authority, go to System > Certificate > Certificate Authority and click Default CA and Update > Click OK to generate default Certificate Authority.

  1. Configure SSL Global Parameters.

To set global parameters for tunnel access, go to VPN > SSL > Tunnel Access and configure tunnel access settings with the following values:

  1. Configure SSL VPN Policy.

To configure SSL VPN policy, go to VPN > SSL > Policy and click Add.

Parameter Value
Name SSL Access
Access Mode Tunnel Access
Tunnel Type Split Tunnel
Accessible Resources 192.168.31.0/24 & 10.81.234.0/24
  1. Apply the SSL VPN policy on a user.

To apply the SSL VPN policy on a user, go to Identity > Users > User and select the user to which policy is to be applied.

  1. Create IPSec connection.

To create a new IPSec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters:

Parameter Value
Name Baroda to Mumbai
Connection Type Site to Site
Policy DefaultHeadOffice
Action on VPN Restart Respond Only
Authentication Type Preshared Key
Preshared Key Preshared Key should be same on remote end as well
Local WAN Endpoint 202.160.165.92
Remote WAN Endpoint 59.181.97.115
Local Subnet 192.168.31.0/24 , 10.81.234.0/24
Remote Subnet 192.168.1.0/24

  1. Required firewall rules.

==>LAN_VPN : Source = LAN & Destination = VPN , Network/Host = Any & Any , Action=Accept and OK

==>VPN_LAN : Source = VPN & Destination = LAN , Network/Host = Any & Any , Action=Accept + MASQ and OK

==>VPN_VPN : Source = VPN & Destination = VPN , Network/Host = Any & Any , Action=Accept and OK

Cyberoam2 (Mumbai) configuration: 192.168.1.0/24

  1. Create IPSec Connection.

To create a new IPsec connection, go to VPN > IPSec > Connection and click Add. Create the connection using the following parameters:

Parameter Value
Name Mumbai to Baroda
Connection Type Site to Site
Policy DefaultBranchOffice
Action on VPN Restart Initiate
Authentication Type Preshared Key
Preshared Key Preshared Key should be same on remote end as well
Local WAN Endpoint 59.181.97.115
Remote WAN Endpoint 202.160.165.92
Local Subnet 192.168.1.0/24
Remote Subnet 192.168.31.0/24 , 10.81.234.0/24

  1. Required firewall rules.

==>LAN_VPN : Source = LAN & Destination = VPN , Network/Host = Any & Any , Action=Accept and OK

==>VPN_LAN : Source = VPN & Destination = LAN , Network/Host = Any & Any , Action=Accept + MASQ and OK

Final configuration by connecting the SSL VPN to access the local and remote firewall’s resources

  1. Download and install the SSL VPN Client at the remote end.

Remote users can sign in to Cyberoam SSL VPN Portal by browsing to https://<WAN IP address of Cyberoam:port> and signing in.

  1. For Tunnel Access, user needs to access internal resources through an SSL VPN Client.
  • Download the SSL VPN client from the Cyberoam website by clicking Installer.
  • Download the client configuration from the portal.
  • Install the client on the remote user’s system. On complete installation, the CrSSL Client icon appears in the system tray.
  • Right-click the Client icon and click Import. Import the SSL VPN configuration downloaded from the Portal.
  • Sign in to the Client and access the company’s internal network through SSL VPN.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Configure SSL VPN for Android Devices using OpenVPN Connect

Configure SSL VPN for Android Devices using OpenVPN Connect

Overview

OpenVPN Connect is the official full-featured Android client for the OpenVPN Access Server, Private Tunnel and OpenVPN Community, developed by OpenVPN Technologies, Inc.

OpenVPN Connect can be used to establish SSL VPN connection between any Android Device and Sophos.

The following sections are covered:

Applies to the following Sophos product : Sophos XG Firewall

Scenario :

Configure SSL VPN for Android Device using OpenVPN Connect.

Sophos Configuration :

Configure SSL VPN from Cyberoam Web Admin Console. Configuration requires read-write permission for therelevant features.

To know how to configure SSL VPN in Sophos , refer to the article :

Sophos XG Firewall: How to configure SSL VPN remote access :https://community.sophos.com/kb/en-us/122769

Android Configuration :

Step 1: Download and Install OpenVPN Connect

Download OpenVPN Connect and install it on your Android Device.

Step 2: Downloading the SSL VPN client configuration

From a browser, logon to the user portal using the Sophos Firewall’s public IP address and the user portal https port.

In this example, user portal is accessible at https://183.83.216.23>:<8443>

Note: You can find the user portal https port configured in Sophos Firewall by going to Administration > Admin Settings under Port Settings for Admin Console section.

Step 3:Once logged into the portal, download the SSL VPN client/configuration for the required endpoint accordingly.

In this article, we will download the configuration for Android / IOS and a file in .ovpn format would be downloaded

Save the file on a specific location in your android phone

Step 4: Import SSL VPN Configuration to OpenVPN Connect in Android Device

Launch OpenVPN Connect and Select the third option “OVPN Profile”

Step 5 : Click on Import and select the .ovpn configuration from the saved location on your phone and it will show you the public ip plus the username via which you will try to connect

5.Click on the option to connect and a virtual ip would be leased to the phone with the status “Connected

The above configuration establishes an SSL VPN connection between Cyberoam and Android Device using OpenVPN Connect.

Related information

  • Sophos XG Firewall: How to configure SSL VPN remote access

Feedback and contact

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Advisory: Sophos XG, UTM, Cyberoam and Central Email may be quarantining legitimate emails

Sophos is investigating reports from Sophos XG, UTM, Cyberoam and Central customers that legitimate email is being quarantined.

Note: This issue seems to be mostly affecting customers with British domains (co.uk, ltd.uk, .uk).

Applies to the following Sophos product(s) and version(s)

Sophos XG, UTM, Cyberoam and Centra Email

Impact

Some Sophos customers may experience legitimate emails being blocked or quarantined. Inbound and outbound emails are affected.

Some appliances are still reporting false positive SPAM detections due to cached lookups. Sophos has released a hotfix via a pattern update to clear the cache automatically on SG/XG appliances. This has now been released for all versions of the UTM and XG.

Note: If you are still experiencing false positive detections, the steps below will clear the cache manually for each affected product.

We also recommend reviewing the content of your quarantine to ensure that any erroneously quarantined emails are released. This can be done by either the administrator or by the end user if the respective product end user portal is enabled.

UTM

To clear the cache manually, run the following commands as root:

/var/mdw/scripts/ctasd_inbound stop

/var/mdw/scripts/ctasd_outbound stop

mv /var/cache/ctasd /var/cache/ctasd.old

/var/mdw/scripts/ctasd_inbound start

/var/mdw/scripts/ctasd_outbound start

In order to review the quarantine and release any affected mail please refer to the Mail Manager section (Page 336) of the UTM Adminsitrator Guide

Mail Manager can be located under Email Protection > Mail Manager in the UTM user interface

Sophos XG Firewall:

To clear the cache manually, login as admin and run the following commands:

service antispam:stop -ds nosync

rm -rf /sdisk/as/*

rm -rf /sdisk/os/*

service antispam:start -ds nosync

In order to review the quarantine and release any affected mail please refer to the Sophos XG Firewall online help section.

SMTP Quarantine can be located under Email > SMTP Quarantine in the XG Firewall user interface

Cyberoam:

Affected customers please contact support.

In order to review the quarantine and release any affected mail please refer to page 41 of the Cyberoam OS Administration Guide

Sophos Email:

No action required to clear the cache. Services were restarted at noon on 8th May and no new mail should be affected by this issue after this time. In order to review the quarantine for Sophos Email and release any affected mail please refer to the Sophos Email online help

The issue with the live lookup data has been resolved however some cached data may still be causing problems. Any customers still experiencing issues with false positive detections should carry out the steps above for their impacted product.

If symptoms are still being experienced after carrying out these steps, please contact Sophos Support with a sample of the released email if possible.

Moving forward, customers should subscribe to the Sophos SMS Mobile Notification service to be notified of product issues such as this.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related: