CVE-2020-15069
📋 TL;DR
This is a critical buffer overflow vulnerability in Sophos XG Firewall's HTTP/S Bookmarks feature for clientless access. It allows remote attackers to execute arbitrary code on affected firewalls. All organizations running vulnerable versions of Sophos XG Firewall are affected.
💻 Affected Systems
- Sophos XG Firewall
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to gain full control of the firewall, pivot to internal networks, intercept/modify traffic, and establish persistent access.
Likely Case
Remote code execution leading to firewall compromise, credential theft, network reconnaissance, and potential lateral movement to internal systems.
If Mitigated
No impact if properly patched or if vulnerable feature is disabled and firewall is not internet-facing.
🎯 Exploit Status
CISA has added this to their Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Hotfix HF062020.1 for v17.x, or upgrade to v18+
Vendor Advisory: https://community.sophos.com/b/security-blog/posts/advisory-buffer-overflow-vulnerability-in-user-portal
Restart Required: Yes
Instructions:
1. Log into Sophos XG Firewall admin interface. 2. Navigate to Backup & Firmware > Hotfix. 3. Download and apply Hotfix HF062020.1. 4. Alternatively, upgrade to v18 or later. 5. Reboot the firewall after applying the fix.
🔧 Temporary Workarounds
Disable Clientless Access User Portal
allTemporarily disable the vulnerable HTTP/S Bookmarks feature until patching can be completed.
Navigate to: System > Administration > User Portal > Disable 'Enable clientless access'
🧯 If You Can't Patch
- Immediately disable the clientless access user portal feature
- Restrict access to the user portal interface using firewall rules or network segmentation
🔍 How to Verify
Check if Vulnerable:
Check firewall version via admin interface: System > Administration > Device Access > Firmware Version. If version is between 17.0 and 17.5 MR12, you are vulnerable.Check Version:
ssh admin@firewall_ip 'show system firmware' or check via web admin interfaceVerify Fix Applied:
After applying hotfix, verify version shows HF062020.1 applied or version is 18+. Also verify clientless access is disabled if using workaround.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests to /userportal/webpages/*
- Buffer overflow errors in system logs
- Unexpected process execution from web server
Network Indicators:
- Exploit traffic patterns to user portal endpoints
- Unusual outbound connections from firewall after exploitation
SIEM Query:
source="sophos_firewall" AND (uri_path="/userportal/webpages/*" AND status=500) OR (event_type="buffer_overflow")