Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
Sophos is aware of a vulnerability in the 3rd party component Exim that is used in Sophos XG Firewall. This vulnerability only applies if a customer has enabled email protection and recipient verification is disabled. This article describes the recommended steps to secure the XG Firewall if customers are using the email protection functionality. The following sections are covered:
Applies to the following Sophos products and versions Sophos XG Firewall version 188.8.131.523, 184.108.40.2062, 220.127.116.119, 18.104.22.1681 and 22.214.171.1247.
CVE-2019-10149: Exim RCE described here.
The following XG Firewall versions are impacted if email protection is used and Recipient verification is not turned on.
To verify your Firewall firmware and build versions, use the following console command:
system diagnostics show version-info
To prevent the Exim Remote Code Execution (RCE), XG admin could configure XG Firewall more securely. Log in to XG webadmin console and do the following for each active SMTP policy:
A hotfix has been released and pushed to all affected XG Firewalls.
To validate that your XG Firewall has received the hotfix, run the following console command:
The Hot Fix version should be 7.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.