Advisory: Buffer overflow in XG Firewall v17.x User Portal

Overview

Sophos discovered an XG Firewall v17.x vulnerability regarding access to physical and virtual units configured with the user portal exposed on the WAN. This was a previously unknown buffer overflow vulnerability in the user portal HTTP/S bookmark feature.

Sophos quickly responded and remediated with a hotfix that removes the HTTP/S bookmark functionality for all XG Firewalls running SFOS v17.x. XG Firewall v18 was not impacted.

 

Applies to the following Sophos product(s) and version(s)

  • Sophos XG Firewall v17.5 MR12 and earlier

  • You will receive an email from Sophos if any action is required

 

Remediation

  • Ensure you are running a supported version of XG Firewall
  • Hotfix HF062020.1 was published for all firewalls running v17.x
  • Additionally, Sophos recommends that XG Firewall customers upgrade to SFOS v18

 

Sophos strongly recommends following industry best practices and the additional steps below to fully remediate the issue:

  1. Reset device administrator accounts
  2. Reset passwords for all local user accounts
  3. Disable User Portal access on the WAN unless necessary

 

Related information

  • sfos 17 hotfix info is included in displayversion which makes it clear in cli which xg's have it.  Example: "XG105w_XN03_SFOS 17.5.12 MR-12.HF062020.1".   displayversion on sfos 18 does not seem to present the hotfix info and instead only "XG210_WP03_SFOS 18.0.1 MR-1-Build396".   Would checking for "Hot Fix version: 4" in the output of "system diagnostics show version-info" be an accurate method of verifying this hotfix is applied from cli on 18?  The goal is incorporating the check into a script.

  • Link CVE-2020-15069 reports CVE ID not found. Please check that

  • CVE link still uncorrected two days later.

  • So far 2 of our 3 Firewalls running  17.5.11 MR-11 have had the hotfix applied and we're now seeing major issues.

    * Unable to access the User Portal on one, port 443 is not even connecting anymore

    * User Portal certificate is returning a completely and utterly other certificate (one of our vSphere certs), and not the one installed and configured at Administration > Admin Settings > Certificate

    Both firewalls with the issues have the hotfix applied, our 3rd one is still operating normally. WTH Sophos?

  • They disabled the UserPortal, you would have to reenable it...

  • Sophos' communication on this has been very poor...

    This article:

    community.sophos.com/.../advisory-buffer-overflow-vulnerability-in-user-portal

    Advises:

    Applies to the following Sophos product(s) and version(s): Sophos XG Firewall v17.5 MR12 and earlier

    You will receive an email from Sophos if any action is required

    Which implies, for instance, that MR-10.HF062020.1 (ie MR-10 with the HF602020.1 hotfix applied) is not sufficient to mitigate the vulnerability and that a firmware version >17.5 MR12 is required.

    In direct contrast, this article:

    community.sophos.com/.../sophos-xg-firewall-http-s-bookmarks-feature-retirement

    Advises that the HTTP/S bookmarks feature has been retired in Sophos XG v17.x, via hotfix HF062020.1.

    Furthermore, the CVE (nvd.nist.gov/.../CVE-2020-15069) states:

    "allows a Buffer Overflow and remote code execution via the HTTP/S Bookmarks feature for clientless access. Hotfix HF062020.1 was published for all firewalls running v17.x"

    So, those two references imply that only the hotfix HF062020.1 needs to be installed for any 17.x firmware version, in order to mitigate the vulnerability.

    So which is accurate? If the former, then there doesn't appear to be a firmware version for 17.x that's newer than 17.5 MR12, so everyone has to upgrade to v18?

  • Even after re-enabling it, which we've done on 2 XGs, it's automatically disabling itself sometime later. We're constantly having to re-enable it.

  • @Michael Pasqualone what if you create it as local ACL. Im pretty sure, it would stay active.

  • Is this issue can affect on SSL vpn remote connection ?