Resolved RCE through heap overflow in awarrensmtp (CVE-2020-11503)

返回安全公告概览
Critical
CVE(s)
CVE-2020-11503
Updated:
产品
Sophos Firewall
发布 ID sophos-sa-20200617-xg-awarrensmtp-rce
文章版本 1
First Published
解决方法 No

Overview

A heap overflow vulnerability in awarrensmtp, a component of XG Firewall firmware, was recently discovered and responsibly disclosed to Sophos by an external security researcher. The vulnerability can potentially allow a remote attacker to execute arbitrary code.

Sophos would like to thank Arseniy Sharoglazov from Positive Technologies for responsibly disclosing this issue to Sophos.

There is no action required for XG Firewall customers with the "Allow automatic installation of hotfixes" feature enabled. Enabled is the default setting.

Applies to the following Sophos product(s) and version(s)

Sophos XG Firewall v17.5 MR11 and older

Remediation

  • Hotfix for v17.5 and v18.0 published on April 27, 2020
  • Hotfix for v17.0 and v17.1 published on May 13, 2020
  • Fix included in v17.5 MR12 and v18.0 GA-Build379
  • Users of older versions of XG Firewall are required to upgrade to receive this fix

Related information