Resolved - Advisory: Sophos XG Firewall - Exim Remote Code Execution vulnerability

  • Article ID: 134199
  • Updated: 20 Jun 2019
  • 3 people found this helpful

Overview

Sophos is aware of a vulnerability in the 3rd party component Exim that is used in Sophos XG Firewall. This vulnerability only applies if a customer has enabled email protection and recipient verification is disabled. This article describes the recommended steps to secure the XG Firewall if customers are using the email protection functionality.

The following sections are covered:

Applies to the following Sophos products and versions
Sophos XG Firewall version 17.5.5.433, 17.5.3.372, 17.5.4.429, 17.5.0.321 and 17.5.3.347.

What are the technical specifics of the issue/event?

CVE-2019-10149: Exim RCE described here.  

How does this impact Sophos?

The following XG Firewall versions are impacted if email protection is used and Recipient verification is not turned on.

  • SF 17.5.5.433
  • SF 17.5.3.372
  • SF 17.5.4.429
  • SF 17.5.0.321
  • SF 17.5.3.347

To verify your Firewall firmware and build versions, use the following console command:

system diagnostics show version-info

Is there any action our consumers should do?

To prevent the Exim Remote Code Execution (RCE),  XG admin could configure XG Firewall more securely. Log in to XG webadmin console and do the following  for each active SMTP policy: 

  • Enable Recipient verification – via call out method or via Active directory lookup whichever is applicable to your internal domain.  

Next update

A hotfix has been released and pushed to all affected XG Firewalls. 

To validate that your XG Firewall has received the hotfix, run the following console command:

system diagnostics show version-info

The Hot Fix version should be 7.

 

Note: Other Sophos email protection products such as Sophos Email Appliance and Sophos UTM were both not affected by this vulnerability. Sophos Email Appliance uses Postfix. Sophos UTM also uses Exim but the version is different and it is not affected by CVE-2019-10149.

 

Related information

Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.

Feedback and contact

If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Article appears in the following topics

Did this article provide the information you were looking for?

Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.

Sophos Footer