Advisory: Buffer overflow in XG Firewall v17.x User Portal

Overview

Sophos discovered an XG Firewall v17.x vulnerability regarding access to physical and virtual units configured with the user portal exposed on the WAN. This was a previously unknown buffer overflow vulnerability in the user portal HTTP/S bookmark feature.

Sophos quickly responded and remediated with a hotfix that removes the HTTP/S bookmark functionality for all XG Firewalls running SFOS v17.x. XG Firewall v18 was not impacted.

Applies to the following Sophos product(s) and version(s)

• Sophos XG Firewall v17.5 MR12 and earlier

• You will receive an email from Sophos if any action is required

Remediation

• Ensure you are running a supported version of XG Firewall
• Hotfix HF062020.1 was published for all firewalls running v17.x
• Additionally, Sophos recommends that XG Firewall customers upgrade to SFOS v18

Sophos strongly recommends following industry best practices and the additional steps below to fully remediate the issue:

1. Reset device administrator accounts
   • See: https://community.sophos.com/kb/en-us/123732
2. Reset passwords for all local user accounts
   • How to identify Local, AD, and Guest users: https://community.sophos.com/kb/en-us/135419
   • Local user password reset: https://community.sophos.com/kb/en-us/135493
   • How to change the password for local users from the User Portal: https://community.sophos.com/kb/en-us/135495
3. Disable User Portal access on the WAN unless necessary
   • How to disable User Portal access on WAN: https://community.sophos.com/kb/en-us/135414

Related information

• CVE-2020-15069: https://nvd.nist.gov/vuln/detail/CVE-2020-15069
• Ensure that you have enabled the automatic installation of hotfixes: https://community.sophos.com/kb/en-us/135415
• Related Community post: https://community.sophos.com/products/xg-firewall/f/network-and-routing/121486/user-portal-disabled-across-multiple-xg-firewalls-by-cli-user/#pi2151filter=answers&pi2151scroll=false