Overview
Sophos discovered an XG Firewall v17.x vulnerability regarding access to physical and virtual units configured with the user portal exposed on the WAN. This was a previously unknown buffer overflow vulnerability in the user portal HTTP/S bookmark feature.
Sophos quickly responded and remediated with a hotfix that removes the HTTP/S bookmark functionality for all XG Firewalls running SFOS v17.x. XG Firewall v18 was not impacted.
Applies to the following Sophos product(s) and version(s)
-
Sophos XG Firewall v17.5 MR12 and earlier
-
You will receive an email from Sophos if any action is required
Remediation
- Ensure you are running a supported version of XG Firewall
- Hotfix HF062020.1 was published for all firewalls running v17.x
- Additionally, Sophos recommends that XG Firewall customers upgrade to SFOS v18
Sophos strongly recommends following industry best practices and the additional steps below to fully remediate the issue:
- Reset device administrator accounts
- Reset passwords for all local user accounts
- How to identify Local, AD, and Guest users: https://community.sophos.com/kb/en-us/135419
- Local user password reset: https://community.sophos.com/kb/en-us/135493
- How to change the password for local users from the User Portal: https://community.sophos.com/kb/en-us/135495
- Disable User Portal access on the WAN unless necessary
- How to disable User Portal access on WAN: https://community.sophos.com/kb/en-us/135414
Related information
- CVE-2020-15069: https://nvd.nist.gov/vuln/detail/CVE-2020-15069
- Ensure that you have enabled the automatic installation of hotfixes: https://community.sophos.com/kb/en-us/135415
- Related Community post: https://community.sophos.com/products/xg-firewall/f/network-and-routing/121486/user-portal-disabled-across-multiple-xg-firewalls-by-cli-user/#pi2151filter=answers&pi2151scroll=false