XG Firewall Hotfix “HF051220.1” Released – Release Notes & News – XG Firewall

Hi XG Community!

We’ve released XG Firewall hotfix “HF051220.1”.

After recent hotfixes to address the SQL injection vulnerability and password reset for the XG Firewall/SFOS (Refer KBA135412), this hotfix HF051220.1 adds a CLI option to change configuration based on previous administrator actions:

1) You can now disable captcha for the webadmin and user portal when they are exposed on the VPN zone.

• Captcha authentication serves as an extra security defense against scripted automated login attempts.
• As an additional security measure, a Captcha has been added to the XG Firewall admin and user portals on the WAN and VPN zones. It is enabled for all devices running v17.x and v18.x, except for XG85/XG85w devices. Any Cyberoam device that has upgraded to the XG Firewall firmware will not implement Captcha.
• This hotfix provides CLI configuration for the same: console> system captcha_authentication_VPN enable/disable/show
  • In case, VPN has been configured as site-to-site IPSec with remote network configuration as “ANY”, you will also need to add an IPsec route to turn off captcha for specific VPN host/network.
    • Example:
      1. console> system ipsec_route add host <50.50.50.1> tunnelname <mytunnel>
      2. console> system ipsec_route add net <10.10.10.0/255.255.255.0> tunnelname <mytunnel>

2) You can now turn off mandatory password reset pop-up

• As an additional security measure related to vulnerability CVE-2020-12271, the password reset is shown only on an XG Firewall that was identified as impacted. For more information see KBA135412.
• If you have already changed passwords since 2200 UTC on April 25, 2020, for the administrator and any users with administrator privilege, you may want to turn off this mandatory password reset.
• This hotfix provides CLI configuration for the same: console> system mandatory_password_reset disable/show

• All supported versions: v17.0, v17.1, v17.5 and v18 GA

• Firmware version on XG Firewall webadmin control center will show “HF051220.1” appended. Example – “SFOS 18.0.0 GA-Build379.HF051220.1”

If you have disabled “Allow automatic installation of hotfixes”, please reference the following KBA for instructions on how to apply the required hotfix: https://community.sophos.com/kb/en-us/135415

Note: Customers managing XG Firewalls with either Sophos Firewall Manager (SFM) or Central Firewall Manager (CFM) need to verify each firewall has an active connection with firewall management to receive critical updates. These steps are not required for Sophos Central managed devices.