CVE-2020-15504 – This SQL injection vulnerability in Sophos XG F... (How to Fix)

Q: What is the severity of CVE-2020-15504?

CVE-2020-15504 has a CVSS score of 9.8 (CRITICAL). This SQL injection vulnerability in Sophos XG Firewall allows attackers to execute arbitrary SQL commands through the user and admin web interfaces. Successful exploitation can lead to remote code execution, potentially compromising the entire firewall system. Organizations running Sophos XG Firewall v18.0 MR1 or older versions are affected.

📋 TL;DR

This SQL injection vulnerability in Sophos XG Firewall allows attackers to execute arbitrary SQL commands through the user and admin web interfaces. Successful exploitation can lead to remote code execution, potentially compromising the entire firewall system. Organizations running Sophos XG Firewall v18.0 MR1 or older versions are affected.

💻 Affected Systems

Products:

Sophos XG Firewall

Versions: v18.0 MR1 and older versions

Operating Systems: Sophos XG Firewall OS

Default Config Vulnerable: ⚠️ Yes

Notes: All versions >= 17.0 are affected unless patched. The vulnerability exists in both user and admin web interfaces.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete firewall compromise leading to network infiltration, data exfiltration, and use as pivot point for internal attacks

🟠

Likely Case

Firewall configuration manipulation, credential theft, and installation of persistent backdoors

🟢

If Mitigated

Limited to SQL injection attempts that are blocked by input validation and WAF rules

🌐 Internet-Facing: HIGH - Web interfaces are typically exposed to the internet for remote administration

🏢 Internal Only: HIGH - Internal attackers can exploit this to gain elevated privileges

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication to either user or admin interface. SQL injection leads to RCE through firewall's underlying components.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v18 MR-1-Build396 or v17.5 MR13

Vendor Advisory: https://community.sophos.com/b/security-blog/posts/advisory-resolved-rce-via-sqli-cve-2020-15504

Restart Required: Yes

Instructions:

1. Log into Sophos Central or local management console. 2. Check current firmware version. 3. Download and apply v18 MR-1-Build396 or v17.5 MR13. 4. Reboot firewall after update completes. 5. Verify update in System > Administration > Firmware.

🔧 Temporary Workarounds

Restrict Web Interface Access

all

Limit access to firewall web interfaces to trusted IP addresses only

Configure firewall rules to restrict access to TCP ports 4444 (admin) and 443 (user) to specific management IPs

Enable WAF/IPS Protection

all

Activate SQL injection detection rules in firewall's web application protection

Navigate to Protect > Web > Web Server Protection and enable SQL injection rules

🧯 If You Can't Patch

Implement strict network segmentation to isolate firewall management interfaces
Enable multi-factor authentication for all admin and user accounts

🔍 How to Verify

Check if Vulnerable:

Check firmware version in System > Administration > Firmware. If version is v18.0 MR1 or older and not patched, system is vulnerable.

Check Version:

ssh admin@firewall_ip 'show system version' or check via web interface

Verify Fix Applied:

Verify firmware version shows v18 MR-1-Build396 or v17.5 MR13 or later in System > Administration > Firmware

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in web interface logs
Multiple failed login attempts followed by successful login
Unexpected configuration changes

Network Indicators:

SQL injection patterns in HTTP requests to firewall web interfaces
Unusual outbound connections from firewall

SIEM Query:

source="sophos_firewall" AND (http_uri="*SELECT*" OR http_uri="*UNION*" OR http_uri="*INSERT*" OR http_uri="*DELETE*")

📊 Metadata

CVE ID: CVE-2020-15504

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: July 10, 2020

Last Updated: November 21, 2024

🔗 References

https://community.sophos.com/b/security-blog/posts/advisory-resolved-rce-via-sqli-cve-2020-15504 Vendor Advisory
https://community.sophos.com/b/security-blog/posts/advisory-resolved-rce-via-sqli-cve-2020-15504 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-15504, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Web Interface Access

Enable WAF/IPS Protection

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities