Note: Patched in 17.5 MR5 HotFix7. All subsequent SFOS releases include the patch.
Sophos is aware of a vulnerability in the 3rd party component Exim that is used in Sophos XG Firewall. This vulnerability only applies if a customer has enabled email protection and recipient verification is disabled. This article describes the recommended steps to secure the XG Firewall if customers are using the email protection functionality. The following sections are covered:
Applies to the following Sophos products and versions Sophos XG Firewall version 22.214.171.1243, 126.96.36.1992, 188.8.131.529, 184.108.40.2061 and 220.127.116.117.
CVE-2019-10149: Exim RCE described here.
The following XG Firewall versions are impacted if email protection is used and Recipient verification is not turned on.
To verify your Firewall firmware and build versions, use the following console command:
system diagnostics show version-info
To prevent the Exim Remote Code Execution (RCE), XG admin could configure XG Firewall more securely. Log in to XG webadmin console and do the following for each active SMTP policy:
A hotfix has been released and pushed to all affected XG Firewalls.
To validate that your XG Firewall has received the hotfix, run the following console command:
The Hot Fix version should be 7.
Note: Other Sophos email protection products such as Sophos Email Appliance and Sophos UTM were both not affected by this vulnerability. Sophos Email Appliance uses Postfix. Sophos UTM also uses Exim but the version is different and it is not affected by CVE-2019-10149.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.