Advisory: Sophos XG Firewall Vulnerabilities reported by Kaspersky Labs

Two vulnerabilities in the Webadmin component and one vulnerability in the API configuration component of the Sophos XG Firewall operating system (SFOS) have been discovered by the security researchers Arseniy Sharoglazov and Artem Kondratenko from Kaspersky Lab, who responsibly disclosed them to us.

While typical configurations of SFOS are not exposed to these vulnerabilities, specific configurations exist where unauthenticated, remote users can reach the affected code paths, potentially allowing them to execute arbitrary code in super-administrator context. We rate two of these issues as critical severity. The third issue, rated as high severity, is a post-authentication remote code execution vulnerability that allows low-privilege administrators to escalate their privilege to super-administrator.

Our investigations have found no evidence of the vulnerabilities being actively exploited.

Applies to the following Sophos product(s) and version(s)

Sophos Firewall

  • Deployments of SFOS with API Configuration enabled can be attacked from white-listed IP addresses (authentication bypass)
  • Low-level administrators can elevate their privilege to super-admin
  • User portal users can elevate their privilege to super-admin

Issue

SFOS version

Security update distributed

NC-33639 (CVE-2018-16116)

Version 17.0

July 17th, 2018, and SFOS v17.1 GA

Version 16.5 OEM

July 19th, 2018

Version 16 and older

Upgrade to current SFOS version

NC-33640 (CVE-2018-16118)

Version 17.0

July 17th, 2018, and SFOS v17.1 MR2

Version 17.1

July 16th, 2018, and SFOS v17.1 MR2

Version 16.5 OEM

July 19th, 2018

Version 16 and older

Upgrade to current SFOS version

NC-33638 (CVE-2018-16117)

Version 17.1

SFOS v17.1 MR2

Version 17.0 and older

Upgrade to current SFOS version

  • For customers running SFOS version 17.0 and above that use the default setting of automatic updates, the security updates for the critical vulnerabilities will be automatically installed, and there is no action required.
  • The high severity vulnerability is resolved in SFOS v17.1 MR2.
  • We strongly recommend our customers to upgrade to SFOS v17.1 MR2 to be fully protected against all of these vulnerabilities.

This article will be updated when information becomes available.

  • Currently no links are available as the CVEs have not been published.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Leave a Reply