Resolved buffer overflow in XG Firewall v17.x User Portal (CVE-2020-15069)

Overview

Sophos discovered an XG Firewall v17.x vulnerability regarding access to physical and virtual units configured with the user portal exposed on the WAN. This was a previously unknown buffer overflow vulnerability in the user portal HTTP/S bookmark feature.

Sophos quickly responded and remediated with a hotfix that removes the HTTP/S bookmark functionality for all XG Firewalls running SFOS v17.x. XG Firewall v18 was not impacted.

Applies to the following Sophos product(s) and version(s)

• Sophos XG Firewall v17.5 MR12 and earlier
• You will receive an email from Sophos if any action is required

Remediation

• Ensure you are running a supported version of XG Firewall
• Hotfix HF062020.1 was published for all firewalls running v17.x
• Additionally, Sophos recommends that XG Firewall customers upgrade to SFOS v18

Sophos strongly recommends following industry best practices and the additional steps below to fully remediate the issue:

1. Reset device administrator accounts
   • See: https://community.sophos.com/kb/en-us/123732
2. Reset passwords for all local user accounts
   • How to identify Local, AD, and Guest users: https://community.sophos.com/kb/en-us/135419
   • Local user password reset: https://community.sophos.com/kb/en-us/135493
   • How to change the password for local users from the User Portal: https://community.sophos.com/kb/en-us/135495
3. Disable User Portal access on the WAN unless necessary
   • How to disable User Portal access on WAN: https://community.sophos.com/kb/en-us/135414

Related information

• CVE-2020-15069: https://nvd.nist.gov/vuln/detail/CVE-2020-15069
• Ensure that you have enabled the automatic installation of hotfixes: https://community.sophos.com/kb/en-us/135415
• Related Community post: https://community.sophos.com/products/xg-firewall/f/network-and-routing/121486/user-portal-disabled-across-multiple-xg-firewalls-by-cli-user/#pi2151filter=answers&pi2151scroll=false