On May 4, 2021, Qualys released a security advisory disclosing multiple CVEs for the Exim mailer software, a widely used open-source message transfer agent (MTA). These vulnerabilities can be triggered by local and remote attackers, and have been fixed in Exim version 4.94.2. If exploited, these vulnerabilities may lead to remote code execution (RCE).
Sophos Firewall customers not licensed for email protection, and those using legacy mode (transparent email proxy) for email, are not vulnerable.
SG UTM customers not using email protection are not vulnerable.
Sophos Firewall customers can switch to legacy mode under Email → General settings → SMTP deployment mode → Switch to legacy mode. Be aware that certain deployment scenarios are not compatible with legacy mode.
The network security team at SophosLabs have released the following IPS signatures to Sophos Firewall devices in response to Exim disclosures:
TYPE
NAME
CVE
XG SFOS IPS Signature
SID:2305451
CVE-2020-28021
SID:2305452
CVE-2020-28026
SID:2305453
SID:2305454
CVE-2020-28025
SID:2305459
CVE-2020-28019
SID:2305460
Note that IPS does not filter traffic destined for the firewall itself.
When the hotfix has been applied to Sophos Firewall, customers will see an alert in their dashboard with the text "Exim version upgraded to v4.94.2."