Resolved authenticated RCE issues in User Portal (CVE-2020-17352)

Overview

Two vulnerabilities in the User Portal of XG Firewall were recently discovered and responsibly disclosed to Sophos. They were reported via the Sophos bug bounty program by an external security researcher. Both vulnerabilities were post-authentication command injection vulnerabilities and have been fixed.

The remediation prevented authenticated users from remotely executing arbitrary code. There was no evidence that the vulnerabilities were exploited and to our knowledge no customers are impacted.

There is no action required for XG Firewall customers with the "Allow automatic installation of hotfixes" feature enabled. Enabled is the default setting.

Applies to the following Sophos product(s) and version(s)

• Sophos XG Firewall v18.0 MR1-Build396 and older
• Sophos XG Firewall v17.5 MR12 and older

Remediation

• Hotfix for v17.5 MR3, v17.5 MR8 through MR12, and v18.0 GA through MR2 published on August 7, 2020
• Fix included in v17.5 MR13 and v18.0 MR3
• Users of older versions of XG Firewall are required to upgrade to receive this fix
• Additionally, Sophos recommends that XG Firewall customers upgrade to SFOS v18

Related information

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17352

Errata

A previous version of this article incorrectly stated that hotfixes were only released for v18.0 GA through MR1-Build396. It has been corrected to indicate that v18.0 MR2 received a hotfix as well.