Overview

Sophos discovered an XG Firewall v17.x vulnerability regarding access to physical and virtual units configured with the user portal exposed on the WAN. This was a previously unknown buffer overflow vulnerability in the user portal HTTP/S bookmark feature.

Sophos quickly responded and remediated with a hotfix that removes the HTTP/S bookmark functionality for all XG Firewalls running SFOS v17.x. XG Firewall v18 was not impacted.

 

Applies to the following Sophos product(s) and version(s)

  • Sophos XG Firewall v17.5 MR12 and earlier

  • You will receive an email from Sophos if any action is required

 

Remediation

  • Ensure you are running a supported version of XG Firewall
  • Hotfix HF062020.1 was published for all firewalls running v17.x
  • Additionally, Sophos recommends that XG Firewall customers upgrade to SFOS v18

 

Sophos strongly recommends following industry best practices and the additional steps below to fully remediate the issue:

  1. Reset device administrator accounts
  2. Reset passwords for all local user accounts
  3. Disable User Portal access on the WAN unless necessary

 

Related information

Parents
  • Sophos' communication on this has been very poor...

    This article:

    community.sophos.com/.../advisory-buffer-overflow-vulnerability-in-user-portal

    Advises:

    Applies to the following Sophos product(s) and version(s): Sophos XG Firewall v17.5 MR12 and earlier

    You will receive an email from Sophos if any action is required

    Which implies, for instance, that MR-10.HF062020.1 (ie MR-10 with the HF602020.1 hotfix applied) is not sufficient to mitigate the vulnerability and that a firmware version >17.5 MR12 is required.

    In direct contrast, this article:

    community.sophos.com/.../sophos-xg-firewall-http-s-bookmarks-feature-retirement

    Advises that the HTTP/S bookmarks feature has been retired in Sophos XG v17.x, via hotfix HF062020.1.

    Furthermore, the CVE (nvd.nist.gov/.../CVE-2020-15069) states:

    "allows a Buffer Overflow and remote code execution via the HTTP/S Bookmarks feature for clientless access. Hotfix HF062020.1 was published for all firewalls running v17.x"

    So, those two references imply that only the hotfix HF062020.1 needs to be installed for any 17.x firmware version, in order to mitigate the vulnerability.

    So which is accurate? If the former, then there doesn't appear to be a firmware version for 17.x that's newer than 17.5 MR12, so everyone has to upgrade to v18?

Comment
  • Sophos' communication on this has been very poor...

    This article:

    community.sophos.com/.../advisory-buffer-overflow-vulnerability-in-user-portal

    Advises:

    Applies to the following Sophos product(s) and version(s): Sophos XG Firewall v17.5 MR12 and earlier

    You will receive an email from Sophos if any action is required

    Which implies, for instance, that MR-10.HF062020.1 (ie MR-10 with the HF602020.1 hotfix applied) is not sufficient to mitigate the vulnerability and that a firmware version >17.5 MR12 is required.

    In direct contrast, this article:

    community.sophos.com/.../sophos-xg-firewall-http-s-bookmarks-feature-retirement

    Advises that the HTTP/S bookmarks feature has been retired in Sophos XG v17.x, via hotfix HF062020.1.

    Furthermore, the CVE (nvd.nist.gov/.../CVE-2020-15069) states:

    "allows a Buffer Overflow and remote code execution via the HTTP/S Bookmarks feature for clientless access. Hotfix HF062020.1 was published for all firewalls running v17.x"

    So, those two references imply that only the hotfix HF062020.1 needs to be installed for any 17.x firmware version, in order to mitigate the vulnerability.

    So which is accurate? If the former, then there doesn't appear to be a firmware version for 17.x that's newer than 17.5 MR12, so everyone has to upgrade to v18?

Children
No Data