Sophos hat die Version 17.5 GA für das Sophos Firewall OS (SFOS) veröffentlicht. Die neue Firmware könnt ihr per sofort über das MySophos Portal herunterladen.

Alle Neuerungen haben wir euch schon detailliert in einem separaten Artikel vorgestellt: Sophos XG Update v17.5: Alle Neuerungen im Überblick

In den nächsten Tagen steht die neue Firmware auch automatisch über das WebAdmin der Firewall zur Verfügung und kann mit einem einfachen Klick installiert werden.*

*Von dieser etwas bequemeren Variante können aber nur all jene profitieren, die den Enhanced Support von Sophos bezahlt haben. Den Sophos Enhanced Support bekommt ihr zu jedem Bundle automatisch dazu (EnterpriseProtect, EnterpriseGuard, TotalProtect, FullGuard), kann aber auch einzeln erworben werden.

Fehlerbehebungen

• NC-39029 [Authentication] Show proper error message in UI if you enter an used port in Chromebook SSO configuration
• NC-39212 [Authentication] CSD: make sure the userSessions map is not overwritten
• NC-39532 [Authentication] Migration from 17.1 fails if host definition for “*.gstatic.com” exists
• NC-39677 [Authentication] Success message shown in ui even though deleting a user fails
• NC-37683 [Base System] cURL (libcurl) NTLM Authentication Code Buffer Overrun Vulnerability (CVE-2018-14618)
• NC-39192 [CM-Join-to-cloud] Appropriate status should update on SF and Sophos Central once FW is remove from Central and register again
• NC-36497 [Email] POP3 mails reach the proxy empty
• NC-38052 [Email] Subject not displayed properly in mail log with sender generated password method
• NC-38282 [Email] mail_sender opcode stuck in CSC
• NC-38470 [Email] Some reason filters on mail log page are not working as expected
• NC-38571 [Email] Port validation not working when adding new port in SMTP via CLI
• NC-39233 [Email] Email delivery failed for some recipients when email containing 512 recipients
• NC-39280 [Email] Error message ‘Relay not permitted’ when sending an inbound mail to email address base profile
• NC-39379 [Email] Bad (malformed syntax) mails should be displayed separately from network failed emails on UI
• NC-39454 [Email] Mail doesn’t get formatted properly when file filter protection applied
• NC-39513 [Email] Network type IP host should not allowed to add in exception policy
• NC-39668 [Email] RDNS check should be applied to inbound emails only
• NC-39737 [Email] Mail from header changed when wrong “Return-Path” used in smart host deployment
• NC-39953 [Email] Email attachments get corrupted with BDAT
• NC-38505 [IPS] IPS policy backup is not created while applying signature upgrade
• NC-39687 [IPS] IPS log filling up with entries and causing problems for legitimate traffic
• NC-39083 [IPsec] IPsec: charon starts parsing fragmented messages before they are reassembled
• NC-38832 [Network Services] Issue with wildcard FQDN based rule
• NC-37817 [UI Framework] SAC tab not loaded because of OutOfMemory error
• NC-39310 [UI Framework] Control Center: Icons for VPN and Connections have been switched
• NC-38184 [Web] Check settings functionality is not working from device level of firewall manager(SFM)
• NC-38844 [Web] Web Policy Override not working in HA(A-A) mode if traffic served from Aux appliance
• NC-39039 [Web] When “Drop connection” feature is enabled, blocked/warned events are not logged correctly

Fehlerbehebungen in EAP1

• NC-32763 [Authentication] Importing users with .csv file having usernames with Thai characters creates junk character
• NC-34340 [Authentication] Users not getting authenticated via Radius SSO
• NC-37091 [Authentication] Show error when Chromebook SSO is not configured correctly
• NC-37300 [Authentication] Create FQDN Hosts and Groups for Chromebook
• NC-38381 [Authentication] “Record does not exist” error when trying to open created LDAP server
• NC-36185 [Azure] Upgrade Linux VM Agent
• NC-38176 [Base System] garner memory corruption affecting RED
• NC-38471 [Base System] EULA not shown on GUI on Azure
• NC-38473 [Base System] Reading of /proc/timer_list file leads to NMI watchdog soft lockups
• NC-31499 [Email] Unable to send .eml attachments to specific domain
• NC-32682 [Email] SPX generates password for same email recipient in different case
• NC-32690 [Email] SPX encryption corrupting attachments by adding line breaks
• NC-32754 [Email] XG not able to insert spool query
• NC-33360 [Email] Add missing header fields in notification emails
• NC-33391 [Email] Quarantine digest and released emails not sent
• NC-33977 [Email] Unable to release unscannable quarantined emails
• NC-34450 [Email] Fail to send email notifications
• NC-35494 [Email] UI hangs when user selects specific date on SMTP quarantine page
• NC-36612 [Email] Cross version import/export not working for exception policy
• NC-37849 [Email] Console command ‘subsystem-info’ shows awarrensmtp and smtpd service with same name
• NC-37945 [Email] Scanner crash on low end devices due to high number of forwarders
• NC-38005 [Email] Improper IP reputation reject status message in mail log
• NC-38013 [Email] Typo in Authentication Relay drop message
• NC-38015 [Email] Emails moved to error queue when header part is big
• NC-38021 [Email] Return-Path/Reply-To header ignored while sending failure notifications
• NC-38252 [Email] Add support of email based routing and RBL scanning
• NC-38257 [Email] No reason logged in mail logs for mails dropped due to file filter
• NC-38297 [Email] Improper label in exception policy at device level from SFM
• NC-38312 [Email] SFM pushes exception policy to firewalls even in legacy mode
• NC-38391 [Email] Core dump in mail scanner
• NC-38392 [Email] Notifications are logged with ‘0 bytes’ in MailLogs
• NC-38501 [Email] SPX fails to encrypt on hardware appliances when SPX reply portal is enabled template
• NC-39024 [Email] Do not allow multi use for port 587
• NC-32530 [Firewall] Post-Authentication SQL injection in Firewall User Interface
• NC-34612 [Firewall] Appliance frequently rebooting when having IPv6 permitted networks for remote access SSLVPN
• NC-34675 [Firewall] Live connections page not showing connection list
• NC-35656 [Firewall] Internet access being lost, SFOS consuming all memory.
• NC-35660 [Firewall] MAC address missing in export of MAC list having only one list member
• NC-37274 [Firewall] SMTP MTA mode does not support TCP port 587
• NC-37760 [Firewall] Misleading message when adding rule using automatic grouping and group has already 200 rules
• NC-37992 [Firewall] Transferred data not shown in firewall rules when reaching tera bytes
• NC-36318 [IPS, SFM-SCFM] Application filter policy rule not containing any application being pushed from SFM is not applied on SF
• NC-36565 [IPS] Category replacement not working on export/import
• NC-38347 [IPS] Category based IPS policy import not mapping to Talos categories
• NC-30016 [IPsec] Merged IKE gets deleted when one connection is disabled in UI
• NC-32269 [IPsec] GRE traffic forwarded through WAN interface after HA failover event
• NC-34131 [IPsec] L2TP still connects after user was disabled
• NC-38310 [IPsec] IPsec site-to-site tunnel not established with Cisco ASA and gateway type “Initiate the connection”
• NC-39059 [Localization] Using “state” causes mistranslations
• NC-36455 [Networking] WWAN is not connected automatically at boot time if the primary WAN link is disconnected/down
• NC-36720 [Networking] Traffic might flow via backup gateway even hard gateway failback configured
• NC-34149 [nSXLd] Keywords are not deleted when custom web category is deleted
• NC-37809 [nSXLd] Proxy authentication is not cleared after config reload
• NC-38125 [SSLVPN] Unable to edit SSLVPN (remote access) page
• NC-35500 [UI Framework] Apache service start fails if webadmin certificate passphrase having single quote character
• NC-35682 [WAF] Unable to edit and load business app rule for WAF
• NC-37178 [Web] Name should not be pre-filled while creating new overrides
• NC-37179 [Web] Improve UI for adding website domains to an Application Override

Fehlerbehebungen in EAP0

• NC-29648 [Base System] If Default CA is not configured, Generate CSR option should be disabled
• NC-29906 [Base System] Unable to edit NTP server when 10 servers are configured
• NC-30497 [Base System] [VMware] SFOS Guest OS detail shows wrong/missing
• NC-30635 [Base System] Missing focus after closing dialog when editing default certificate
• NC-31010 [Base System] Configuration import running into timeout on SG/XG 100 series appliances
• NC-31100 [Base System] Upgrade notification pop-up does not work in some cases
• NC-35536 [Base System] OpenSSL - “Denial of service during forward secrecy setup” (CVE-2018-0732)
• NC-34154 [Clientless Access] Unable to connect RDP type bookmark with NLA
• NC-34803 [Email] Possible denial-of-service due to secure client-initiated renegotiation
• NC-35175 [Email] Sophos XG is not adding received-by header as per RFC 5321
• NC-35256 [Email] Invalid XML is generated for Email -> General Settings -> Blocked Senders
• NC-35915 [Email] “POP-IMAP Scanning” policy generated XML does not contain information of filter criteria “Source IP/Network Address”
• NC-26440 [Firewall] Firewall rule dropping traffic when there is no user identity attached to the rule
• NC-30989 [Firewall] CVE-2018-8897: Don’t use IST entry for #BP stack
• NC-31282 [Firewall] Firewall rule group entity name not sent to SFM upon insert/update/delete
• NC-22889 [Hardware] XG85: poweroff command reboots the device instead of shutting it down
• NC-21909 [IPsec] Do not show empty-value-warning on page entry
• NC-30319 [IPsec] Backup fails import when containing IPv6 remotes
• NC-30462 [IPsec] Site-to-Site connection not initiated after DHCPv6 interface update
• NC-30618 [IPsec] New virtual IP on every Phase 1 rekey even though client requests same IP
• NC-30794 [IPsec] NAT checkbox is always enabled in IE11
• NC-30796 [IPsec] Local gateway selection shows invalid interface in IE11
• NC-33410 [IPsec] VPN Connection Status shows ‘Any’ on both sides even when configured only on one side
• NC-22604 [Logging] GUI alignment issue when sender name or subject is longer
• NC-25714 [Logging] Firewall rule ID in log viewer not linking to actual rule anymore
• NC-29974 [Network Services] Disconnect PPPoE interface doesn’t update corresponding interface based DNS static entry
• NC-30753 [Network Services] DGD service in stopped state and segmentation fault
• NC-33876 [Network Services] IPset command shows wrong information for wildcard and FQDN Host
• NC-30483 [Networking] Port and IP address may show “undefined” in WAN Link Manager “Failover Rules”
• NC-30493 [Networking] Link status not updated in WAN Link Manager when RA client has no IP address
• NC-30544 [Networking] Full and selective configuration import fails when bridge innterface configured in WAN zone
• NC-31399 [Networking] Full backup import fails when bridge member interface is LAG
• NC-33628 [Networking] LAG mode related configuration missing on configuration export
• NC-34573 [Networking] Configuration changes of CFM not propagated to XG
• NC-20785 [Reporting] PDF export of reports taking much time or failing completely
• NC-26459 [Reporting, UI Framework] Reports for “Traffic Insight” not shown on dashboard
• NC-29573 [Reporting] Sending of scheduled reports does not consider changes of daylight saving time
• NC-31243 [Reporting] Table headers in reports span two lines and cannot be seen
• NC-32490 [Reporting] Unable to click “PDF”, “CSV”, “Bookmark” or “Schedule” under “Report > Applicazioni & Web” when WebAdmin language is Italian
• NC-28206 [SecurityHeartbeat] Heartbeat deamon does not handle all allowed MAC address formats correctly
• NC-32459 [SecurityHeartbeat] Endpoint name in StoneWall message
• NC-32580 [SecurityHeartbeat] Extend StoneWall protocols/messages
• NC-34169 [SSLVPN] Fail to access SSLVPN (site-to-site) page after any tunnel modification
• NC-30984 [Synchronized App Control] [SAC] improve usability
• NC-30987 [Synchronized App Control] [SAC] no action “acknowledge” for acknowledged apps
• NC-30988 [Synchronized App Control] [SAC] filter with deleted apps should be last in the dropdown field
• NC-28064 [WAF] Form hardening sets block-reason only in case of GET requests
• NC-25805 [Web] Handle non-compliant HTTP status code 999
• NC-27519 [Web] Proxy continues to download files in batch mode even if client closes connection
• NC-28851 [Web] Default Web policies contain duplicate rules
• NC-29305 [Web] “Expect” header not handled correctly
• NC-31837 [Web] Add “alert.hitmanpro.com” to proxy bypass list
• NC-33650 [Web] Enabling web content cache for Sophos Updates blocks further updates