.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Critical
Resolved RCE through heap overflow in awarrensmtp (CVE-2020-11503)
CVE(N)
CVE-2020-11503
PRODOTTO(I)
Sophos Firewall
Aggiornato
2020 Jun 17
Versione articolo
1
Pubblicato
2020 Jun 17
ID pubblicazione
sophos-sa-20200617-xg-awarrensmtp-rce
Soluzione alternativa
No
Overview
A heap overflow vulnerability in awarrensmtp, a component of XG Firewall firmware, was recently discovered and responsibly disclosed to Sophos by an external security researcher. The vulnerability can potentially allow a remote attacker to execute arbitrary code.
Sophos would like to thank Arseniy Sharoglazov from Positive Technologies for responsibly disclosing this issue to Sophos.
There is no action required for XG Firewall customers with the "Allow automatic installation of hotfixes" feature enabled. Enabled is the default setting.
Applies to the following Sophos product(s) and version(s)
Sophos XG Firewall v17.5 MR11 and older
Remediation
- Hotfix for v17.5 and v18.0 published on April 27, 2020
- Hotfix for v17.0 and v17.1 published on May 13, 2020
- Fix included in v17.5 MR12 and v18.0 GA-Build379
- Users of older versions of XG Firewall are required to upgrade to receive this fix
Related information
Sophos Responsible Disclosure Policy
To learn about Sophos security vulnerability disclosure policies and publications, see the Responsible Disclosure Policy.