Exim vulnerabilities

Hi Tomas Beran,

 Thank you for reaching out to the Sophos community team. Our dev team is investigating this under ID NC-72625.

Thanks for information Vishal.

can we expect that these security holes to are patched by hotfix or would customers have to wait until the next SFOS update? are there any steps to mitigate the vulnerabilities in the meantime manually or at least ways to check if the system is already compromised?    

I would like to see a response similar to "Asnarök" from sophos. As it seems that the impact is pretty serious and the exploits are around for more than 2 months

Hi Samuel Heinrich,

We'll update the following blog post as the new information becomes available:

• Advisory: Multiple Vulnerabilities (AKA 21Nails) in Exim

Thanks,

JFYI: The Advisory was updated with the latest information.

thanks for bringing attention to this.

is XG or SG vulnerable against that if mail protection is off?

As stated by the advisory post: 

Sophos Firewall customers not licensed for email protection, and those using legacy mode (transparent email proxy) for email, are not vulnerable.

Hi folks,

hot fix notification is appearing on GUI console.

Ian

Hi .

Thank you for posting Advisory. But I think Sophos should especially address the SG UTM as most of the customers using Sophos are on SG.

We'd expect that an issue that could gain root access on the firewall would be addressed immediatly.

Exim is one thing. But would Sophos address other vulnerabilties on firewalls that could gain root access in time?

There is no mitigation for SG. Disabling services like mail is not an option. And in other cases shutting down the firewall completly?

Regards,

Thomas

This is a Thread for Sophos XG Firewall. Sophos is working on both fixes on both products. Sophos XG Firewall has a hotfix mechanism, which allows to deploy hotfixes on the product without downtime etc. All customers with enabled Hotfixes already got the fix. UTM needs a complete new release, which assuming takes more time compared to a hotfix. 

As another workaround, Central Email offers a 100 mailbox free trial. Its easy to setup and could be implemented for the customer within minutes. Simply deploy the mailboxes in Central (AD Sync), deploy the MX (switch to Central) and redirect the mails to Central. Forward the mails to UTM and only open the Mail protection of UTM to Central delivery IPs.