Overview

Two vulnerabilities in the User Portal of XG Firewall were recently discovered and responsibly disclosed to Sophos. They were reported via the Sophos bug bounty program by an external security researcher. Both vulnerabilities were post-authentication command injection vulnerabilities and have been fixed.

The remediation prevented authenticated users from remotely executing arbitrary code. There was no evidence that the vulnerabilities were exploited and to our knowledge no customers are impacted.

There is no action required for XG Firewall customers with the "Allow automatic installation of hotfixes" feature enabled. Enabled is the default setting.

Applies to the following Sophos product(s) and version(s)

Sophos XG Firewall v18.0 MR1-Build396 and older
Sophos XG Firewall v17.5 MR12 and older

Remediation

Hotfix for v17.5 MR3, v17.5 MR8 through MR12, and v18.0 GA through MR2 published on August 7, 2020
Fix included in v17.5 MR13 and v18.0 MR3
Users of older versions of XG Firewall are required to upgrade to receive this fix
Additionally, Sophos recommends that XG Firewall customers upgrade to SFOS v18

Related information

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17352

Errata

A previous version of this article incorrectly stated that hotfixes were only released for v18.0 GA through MR1-Build396. It has been corrected to indicate that v18.0 MR2 received a hotfix as well.

mgrimm over 1 year ago in reply to Carter Janet

Carter Janet: Yes.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Carter Janet over 1 year ago

Is this HOTFIX available v18!!? omegle
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
mgrimm over 2 years ago

Prism, thank you for your question. This was an error in the advisory. MR2 has received the hotfix as well, and I have updated the article accordingly.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Prism over 2 years ago

Will this hotfix also be available on v18 MR-2?
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel