Advisory: Potential RCE through heap overflow in awarrensmtp (CVE-2020-11503)

Overview

A heap overflow vulnerability in awarrensmtp, a component of XG Firewall firmware, was recently discovered and responsibly disclosed to Sophos by an external security researcher. The vulnerability can potentially allow a remote attacker to execute arbitrary code.

Sophos would like to thank Arseniy Sharoglazov from Positive Technologies for responsibly disclosing this issue to Sophos.

There is no action required for XG Firewall customers with the "Allow automatic installation of hotfixes" feature enabled. Enabled is the default setting. 

Applies to the following Sophos product(s) and version(s)

Sophos XG Firewall v17.5 MR11 and older

Remediation

  • Hotfix for v17.5 and v18.0 published on April 27, 2020
  • Hotfix for v17.0 and v17.1 published on May 13, 2020
  • Fix included in v17.5 MR12 and v18.0 GA-Build379
  • Users of older versions of XG Firewall are required to upgrade to receive this fix

Related information