Advisory: Resolved RCE via SQLi (CVE-2020-15504)

Overview

An SQL injection vulnerability in the email quarantine release feature of XG Firewall was recently discovered and responsibly disclosed to Sophos by external security researchers. The vulnerability has been fixed. The remediation prevented remote execution of arbitrary code. There was no evidence that the vulnerability was exploited and to our knowledge no customers are impacted.

Sophos would like to thank Jakob Heusinger and Matteo Tomaselli from Code White GmbH for responsibly disclosing this issue to Sophos.

There is no action required for XG Firewall customers with the "Allow automatic installation of hotfixes" feature enabled. Enabled is the default setting.

Applies to the following Sophos product(s) and version(s)

Sophos XG Firewall v18.0 MR1 and older

Remediation

  • Hotfix (PoC mitigation) for v17.0 through v18.0 MR1 published on May 5, 2020
  • Hotfix (disable pre-auth email quarantine release feature) for v17.0 through v18.0 MR1 published on May 21, 2020
  • Fix included in v17.5 MR13 and v18 MR-1-Build396
  • Users of older versions of XG Firewall are required to upgrade to receive this fix
  • Additionally, Sophos recommends that XG Firewall customers upgrade to SFOS v18

Related information