Two vulnerabilities in the Webadmin component and one vulnerability in the API configuration component of the Sophos XG Firewall operating system (SFOS) have been discovered by the security researchers Arseniy Sharoglazov and Artem Kondratenko from Kaspersky Lab, who responsibly disclosed them to us.
While typical configurations of SFOS are not exposed to these vulnerabilities, specific configurations exist where unauthenticated, remote users can reach the affected code paths, potentially allowing them to execute arbitrary code in super-administrator context. We rate two of these issues as critical severity. The third issue, rated as high severity, is a post-authentication remote code execution vulnerability that allows low-privilege administrators to escalate their privilege to super-administrator.
Our investigations have found no evidence of the vulnerabilities being actively exploited.
Applies to the following Sophos product(s) and version(s) Sophos Firewall
Security update distributed
July 17th, 2018, and SFOS v17.1 GA
Version 16.5 OEM
July 19th, 2018
Version 16 and older
Upgrade to current SFOS version
July 17th, 2018, and SFOS v17.1 MR2
July 16th, 2018, and SFOS v17.1 MR2
SFOS v17.1 MR2
Version 17.0 and older
This article will be updated when information becomes available.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.