Thousands of Sophos firewalls still vulnerable out there to hijacking

Since this is making the rounds as if it's meaningful, I'll just repeat myself from somewhere else.

he devil's in the details.

XG 19.0.1 has a hotfix, which is applied automatically unless you deliberately disable that.

XG 19.0.0 has a hotfix, which is applied automatically unless you deliberately disable that.

The last five releases of 18.5 have a hotfix, which is applied automatically unless you deliberately disable that.

The last four releases of 18.0 have a hotfix, which is applied automatically unless you deliberately disable that.

The last six releases of 17.5 have a hotfix, which is applied automatically unless you deliberately disable that.

The last release of 17.0 has a hotfix, which is applied automatically unless you deliberately disable that.

17.5 has been EOL since November 2021, just to give an idea how available patches are.

But here's the kicker... the official, in-the-OS non-hotfix release? Was released in December and Sophos soft-releases firmware in stages. Only a small percentage of firewalls will see the 19.5 firmware as available right now. Most of the ones I manage haven't seen it. Yes, you can go out of your way to download the code form a portal and manually install it, but for most firewalls when you log on it doesn't tell you there's an update, and if you query for updates it - again - says there aren't any.

So to say 99% of eligible firewalls aren't running the fixed code is... deeply misleading. Almost all of them have hotfixed. And the non-hotfix patch requires hoops to be jumped through.

Yes, a proper admin should be aware that firmwares are available, but it's rarely good to be on the bleeding edge, and when you've got a hotfix... why rush to expose your customer to potential initial-release bugs?

This study and what it implies about Sophos or people who admin them are deeply pointless and misleading.