After almost 4 months, Sophos has released an update for the UTM. The update to version 9.510-4 closes various security gaps and fixes some functional problems. Long-awaited features, such as support for Let's Encrypt and IKEv2, are still a long time coming.
Here is the list of changes:
- [NUTM-8273]: [Basesystem] Inconsistent reporting data in hot standby environment
- [NUTM-9089]: [Basesystem] ulogd restarting randomly
- [NUTM-9423]: [Basesystem] Missing DMI info or missing WiFi card should turn status LED red for desktop refresh models
- [NUTM-9516]: [Basesystem] CVE-2017-3145: BIND vulnerability
- [NUTM-9764]: [Basesystem] multiple NTP vulnerabilities
- [NUTM-9862]: [Basesystem] CVE-2018-8897: Don’t use IST entry for #BP stack
- [NUTM-9944]: [Basesystem] ‚ethtool -p‘ is not working for shared port
- [NUTM-9945]: [Basesystem] SG/XG 125/135 upper 4 ports LEDs at front and rear side not behaving as expected
- [NUTM-9286]: [Email] CVE-2011-3389: SSL/TLS BEAST Vulnerability And Weak Algorithms
- [NUTM-9460]: [Email] Quarantine unscannable and encrypted content not working as expected
- [NUTM-9539]: [Email] SMTP callout with TLS does not work
- [NUTM-9627]: [Email] Parent proxy for WAF (ctipd) not applied without active e-mail subscription
- [NUTM-9771]: [Email] Redesign TFT detection to decrease false positives/negatives
- [NUTM-9836]: [Email] HSTS usage breaks Quarantine Report release link
- [NUTM-9789]: [Logging] Not able to archive logs using SMB share
- [NUTM-8969]: [Network] Inconsistent DHCP leases in WebAdmin
- [NUTM-9049]: [Network] Cannot change IPv4 interface as IPv6 gateway is required
- [NUTM-9194]: [Network] Static route switching to different VLAN
- [NUTM-9646]: [Network] eth0 is falsely marked „dead“ when running „hs“ on slave
- [NUTM-9739]: [Network] Network monitor restarting on slave nodes
- [NUTM-9795]: [RED] RED50 issue with large packets in Transparent/Split mode
- [NUTM-9607]: [Reporting] Upper case umlauts in PDF Executive Reports are not displayed correctly
- [NUTM-9624]: [Reporting] WAF – Top attackers won’t be displayed after upgrade to v9.5
- [NUTM-9719]: [SUM] Web Protection service shown as down in SUM
- [NUTM-9547]: [UI Framework] UserPortal does not correctly detect browser specified preferred language for Chinese Simplified
- [NUTM-9527]: [WAF]mod_url_hardening stack corruption
- [NUTM-8038]: [WebAdmin] WebAdmin not available
- [NUTM-9232]: [WebAdmin] Sometimes ‚backend connection failed‘ while login
- [NUTM-9529]: [WebAdmin] Role with ‚Web Protection Manager‘ rights can’t access Aplication Control
- [NUTM-9689]: [WebAdmin] Report Auditor role is unable to open the dashboard
- [NUTM-5293]: [Web] Google is missed in the Search Engines reports
- [NUTM-6240]: [Web] FTP download through HTTP Proxy in standard mode not possible
- [NUTM-9039]: [Web] Connections may fail when using upstream proxies due to „Proxy-Connection“ header being sent
- [NUTM-9399]: [Web] Classification for Windows Updates differs between AFC and conntrack
- [NUTM-9413]: [Web] Unable to upload certificate to „Local Verification CAs“
- [NUTM-9491]: [Web] HTTP Proxy coredumps with SIGABRT
- [NUTM-9549]: [Web] Proceeding after content warning results in display issues on redirected pages
- [NUTM-9599]: [Web] HTTP Proxy requests stuck without appropriate timeout
- [NUTM-9630]: [Web] Fallback log flooded with samlogon cache timeout messages
- [NUTM-9664]: [Web] Country blocking exception not working when HTTP Proxy is using SSO
- [NUTM-9720]: [Web] Can’t proceed content warning for MIME types if URL contains spaces
- [NUTM-9745]: [Web] HTTP Proxy coredumps with SIGSEGV
- [NUTM-7628]: [Wireless] Wireless clients frequently failing to connect with STA WPA failure reason code 2
- [NUTM-8946]: [Wireless] APs displayed as inactive in WebAdmin while clients can connect
- [NUTM-9591]: [Wireless] Both local WiFi using 2.4GHz band and same channel in default configuration
- [NUTM-9592]: [Wireless] Unable to broadcast same SSID on both LocalWifi0 and LocalWifi1
- [NUTM-9594]: [Wireless] Incorrect channel information showing on overview for LocalWifi
- [NUTM-9608]: [Wireless] Incorrect generic error message in WebAdmin while configuring band for wireless network
- [NUTM-9638]: [Wireless] Both local WiFi AP named ‚Local‘
- [NUTM-9731]: [Wireless] Not able to configure channel 12 and 13 on newer desktop models
- [NUTM-9735]: [Wireless] Set default channel width to 40MHz for 5GHz band
- [NUTM-9737]: [Wireless] SGw appliances missing frequency definitions for Nigeria
Unfortunately, updates for the UTM are appearing at increasingly irregular intervals; as mentioned at the beginning, the last update was 4 months ago. For example, Sophos only closed a gap in BIND (CVE-2017-3145) with this update, although the problem was reported in January 2018:
I would like Sophos to release updates more quickly here.
If the update is not yet displayed in WebAdmin, it can be downloaded manually here:
http://ftp.astaro.de/UTM/v9/up2date/u2d-sys-9.509003-510004.tgz.gpg
As Sophos has not been very good with updates in the past, a backup should be created before the update.