Sophos discovered an XG Firewall v17.x vulnerability regarding access to physical and virtual units configured with the user portal exposed on the WAN. This was a previously unknown buffer overflow vulnerability in the user portal HTTP/S bookmark feature.
Sophos quickly responded and remediated with a hotfix that removes the HTTP/S bookmark functionality for all XG Firewalls running SFOS v17.x. XG Firewall v18 was not impacted.
Sophos XG Firewall v17.5 MR12 and earlier
You will receive an email from Sophos if any action is required
Sophos strongly recommends following industry best practices and the additional steps below to fully remediate the issue:
Is this issue can affect on SSL vpn remote connection ?
@Michael Pasqualone what if you create it as local ACL. Im pretty sure, it would stay active.
Jakob P Even after re-enabling it, which we've done on 2 XGs, it's automatically disabling itself sometime later. We're constantly having to re-enable it.
Sophos' communication on this has been very poor...
This article:
community.sophos.com/.../advisory-buffer-overflow-vulnerability-in-user-portal
Advises:
Applies to the following Sophos product(s) and version(s): Sophos XG Firewall v17.5 MR12 and earlier
Which implies, for instance, that MR-10.HF062020.1 (ie MR-10 with the HF602020.1 hotfix applied) is not sufficient to mitigate the vulnerability and that a firmware version >17.5 MR12 is required.
In direct contrast, this article:
community.sophos.com/.../sophos-xg-firewall-http-s-bookmarks-feature-retirement
Advises that the HTTP/S bookmarks feature has been retired in Sophos XG v17.x, via hotfix HF062020.1.
Furthermore, the CVE (nvd.nist.gov/.../CVE-2020-15069) states:
"allows a Buffer Overflow and remote code execution via the HTTP/S Bookmarks feature for clientless access. Hotfix HF062020.1 was published for all firewalls running v17.x"
So, those two references imply that only the hotfix HF062020.1 needs to be installed for any 17.x firmware version, in order to mitigate the vulnerability.
So which is accurate? If the former, then there doesn't appear to be a firmware version for 17.x that's newer than 17.5 MR12, so everyone has to upgrade to v18?
Michael Pasqualone
They disabled the UserPortal, you would have to reenable it...