Advisory: Buffer overflow in XG Firewall v17.x User Portal

25 Jun 2020

Overview

Sophos discovered an XG Firewall v17.x vulnerability regarding access to physical and virtual units configured with the user portal exposed on the WAN. This was a previously unknown buffer overflow vulnerability in the user portal HTTP/S bookmark feature.

Sophos quickly responded and remediated with a hotfix that removes the HTTP/S bookmark functionality for all XG Firewalls running SFOS v17.x. XG Firewall v18 was not impacted.

Applies to the following Sophos product(s) and version(s)

Sophos XG Firewall v17.5 MR12 and earlier
You will receive an email from Sophos if any action is required

Remediation

Ensure you are running a supported version of XG Firewall
Hotfix HF062020.1 was published for all firewalls running v17.x
Additionally, Sophos recommends that XG Firewall customers upgrade to SFOS v18

Sophos strongly recommends following industry best practices and the additional steps below to fully remediate the issue:

Reset device administrator accounts
- See: https://community.sophos.com/kb/en-us/123732
Reset passwords for all local user accounts
- How to identify Local, AD, and Guest users: https://community.sophos.com/kb/en-us/135419
- Local user password reset: https://community.sophos.com/kb/en-us/135493
- How to change the password for local users from the User Portal: https://community.sophos.com/kb/en-us/135495
Disable User Portal access on the WAN unless necessary
- How to disable User Portal access on WAN: https://community.sophos.com/kb/en-us/135414

Related information

CVE-2020-15069: https://nvd.nist.gov/vuln/detail/CVE-2020-15069
Ensure that you have enabled the automatic installation of hotfixes: https://community.sophos.com/kb/en-us/135415
Related Community post: https://community.sophos.com/products/xg-firewall/f/network-and-routing/121486/user-portal-disabled-across-multiple-xg-firewalls-by-cli-user/#pi2151filter=answers&pi2151scroll=false

Karim Amin 3 months ago

Is this issue can affect on SSL vpn remote connection ?
- Cancel
- Up 0 Down
- More
- Cancel
Jakob P 3 months ago

@Michael Pasqualone what if you create it as local ACL. Im pretty sure, it would stay active.
- Cancel
- Up 0 Down
- More
- Cancel
Michael Pasqualone 3 months ago

Jakob P Even after re-enabling it, which we've done on 2 XGs, it's automatically disabling itself sometime later. We're constantly having to re-enable it.
- Cancel
- Up 0 Down
- More
- Cancel
alozzy 3 months ago

Sophos' communication on this has been very poor...

This article:

community.sophos.com/.../advisory-buffer-overflow-vulnerability-in-user-portal

Advises:

Applies to the following Sophos product(s) and version(s): Sophos XG Firewall v17.5 MR12 and earlier

You will receive an email from Sophos if any action is required

Which implies, for instance, that MR-10.HF062020.1 (ie MR-10 with the HF602020.1 hotfix applied) is not sufficient to mitigate the vulnerability and that a firmware version >17.5 MR12 is required.

In direct contrast, this article:

community.sophos.com/.../sophos-xg-firewall-http-s-bookmarks-feature-retirement

Advises that the HTTP/S bookmarks feature has been retired in Sophos XG v17.x, via hotfix HF062020.1.

Furthermore, the CVE (nvd.nist.gov/.../CVE-2020-15069) states:

"allows a Buffer Overflow and remote code execution via the HTTP/S Bookmarks feature for clientless access. Hotfix HF062020.1 was published for all firewalls running v17.x"

So, those two references imply that only the hotfix HF062020.1 needs to be installed for any 17.x firmware version, in order to mitigate the vulnerability.

So which is accurate? If the former, then there doesn't appear to be a firmware version for 17.x that's newer than 17.5 MR12, so everyone has to upgrade to v18?
- Cancel
- Up 0 Down
- More
- Cancel
Jakob P 3 months ago

Michael Pasqualone

They disabled the UserPortal, you would have to reenable it...
- Cancel
- Up 0 Down
- More
- Cancel