Resolved RCE in Sophos Connect Client for Windows (CVE-2021-25265)

Overview

A remote code execution vulnerability in Sophos Connect Client version 2.0 for Windows was recently discovered and responsibly disclosed to Sophos. It was reported via the Sophos bug bounty program by an external security researcher. The vulnerability has been fixed in version 2.1.

Sophos would like to thank Kim Karlsson for responsibly disclosing this issue to Sophos.

The remediation prevented malicious websites from remotely executing arbitrary code. There was no evidence that the vulnerability was exploited and to our knowledge no customers are impacted.

Applies to the following Sophos product(s) and version(s)

• Sophos Connect Client 2.0 for Windows

Remediation

• Sophos Connect Client version 2.1 published to all XG Firewall versions via pattern update on March 10, 2021

Patching Instructions

1. Ensure the Sophos Connect Clients version 2.1 or newer pattern is installed under Backup & firmware → Pattern updates
2. Download SophosConnect_2.1_(IPsec_and_SSLVPN).msi and deploy it to all endpoints with an older version
   1. WebAdmin v17.5: VPN → Sophos Connect client → Client information → Download
   2. WebAdmin v18.0: VPN → IPsec (remote access) → Download client

Individual users can download SophosConnect_2.1_(IPsec_and_SSLVPN).msi using this link: https://www.sophos.com/Pages/DownloadRedirect.aspx?downloadKey=6AF9884A-8B35-4E3E-8DE0-36C7063293DE.

Related information

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25265