CVE-2020-17352 – Two OS command injection vulnerabilities in the... (How to Fix)

Q: What is the severity of CVE-2020-17352?

CVE-2020-17352 has a CVSS score of 8.8 (HIGH). Two OS command injection vulnerabilities in the Sophos XG Firewall User Portal allow authenticated attackers to execute arbitrary commands on the firewall system. This affects administrators or users with portal access to Sophos XG Firewall versions through August 5, 2020.

📋 TL;DR

Two OS command injection vulnerabilities in the Sophos XG Firewall User Portal allow authenticated attackers to execute arbitrary commands on the firewall system. This affects administrators or users with portal access to Sophos XG Firewall versions through August 5, 2020.

💻 Affected Systems

Products:

Sophos XG Firewall

Versions: All versions through 2020-08-05

Operating Systems: Sophos XG Firewall OS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authentication to the User Portal. Both vulnerabilities are in the User Portal component.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attacker to pivot to internal networks, steal credentials, deploy ransomware, or establish persistent backdoor access.

🟠

Likely Case

Unauthorized access to firewall configuration, network traffic interception, credential harvesting, and lateral movement within the network.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access, and monitoring are in place, though firewall integrity would still be compromised.

🌐 Internet-Facing: HIGH if User Portal is exposed to internet, as authenticated attackers could gain remote code execution.

🏢 Internal Only: HIGH as authenticated internal users could exploit this to gain elevated privileges and compromise the firewall.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to the User Portal. The CWE-78 (OS command injection) typically has low exploitation complexity once authentication is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2020-08-05, specifically SFOS v18.0 MR1 and later

Vendor Advisory: https://community.sophos.com/b/security-blog/posts/advisory-resolved-authenticated-rce-issues-in-user-portal-cve-2020-17352

Restart Required: Yes

Instructions:

1. Log into Sophos XG Firewall admin interface. 2. Navigate to System > Backup & Firmware. 3. Check for available updates. 4. Download and install the latest firmware. 5. Reboot the firewall after installation completes.

🔧 Temporary Workarounds

Restrict User Portal Access

all

Limit User Portal access to trusted IP addresses only and disable if not required.

Implement Network Segmentation

all

Isolate firewall management interface from general user networks.

🧯 If You Can't Patch

Disable User Portal if not required for operations
Implement strict access controls and monitor all User Portal authentication attempts

🔍 How to Verify

Check if Vulnerable:

Check firewall version via admin interface: System > Backup & Firmware. If version date is before August 2020, system is vulnerable.

Check Version:

From CLI: show system version

Verify Fix Applied:

Verify firmware version is SFOS v18.0 MR1 or later, or check version date is after 2020-08-05.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Multiple failed authentication attempts to User Portal followed by successful login
Unexpected processes running on firewall

Network Indicators:

Unusual outbound connections from firewall management interface
Suspicious traffic patterns from firewall to internal systems

SIEM Query:

source="sophos-firewall" AND (event_type="command_execution" OR user_portal_access="suspicious")

📊 Metadata

CVE ID: CVE-2020-17352

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: August 7, 2020

Last Updated: November 21, 2024

🔗 References

https://community.sophos.com/b/security-blog Vendor Advisory
https://community.sophos.com/b/security-blog/posts/advisory-resolved-authenticated-rce-issues-in-user-portal-cve-2020-17352 Patch,Vendor Advisory
https://community.sophos.com/b/security-blog Vendor Advisory
https://community.sophos.com/b/security-blog/posts/advisory-resolved-authenticated-rce-issues-in-user-portal-cve-2020-17352 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-17352, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

Xg Firewall Firmware by Sophos

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict User Portal Access

Implement Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities