Resolved SQLi in Cyberoam OS WebAdmin (CVE-2020-29574)

返回安全公告概览
Critical
CVE(s)
CVE-2020-29574
Updated:
产品
Cyberoam OS Devices
发布 ID sophos-sa-20201210-cyberoam-webadmin-sqli
文章版本 1
First Published
解决方法 No

Overview

An SQL Injection vulnerability in the WebAdmin of Cyberoam OS was recently discovered and has been patched through a hotfix. On some systems, this may have been used to create an unrecognized account.

Applies to the following Sophos product(s) and version(s)

  • All Cyberoam OS devices

Remediation

  • Hotfix distributed to all supported Cyberoam OS devices starting December 4, 2020
  • Hotfix also distributed to unsupported EOL Cyberoam versions 10.6.2 and later
  • Additionally, Sophos recommends that Cyberoam customers upgrade to XG Firewall v17.5 or the latest available Cyberoam OS release

Recommendation

Customers can further protect themselves by ensuring their Web Admin and SSH access is not exposed to WAN (System > Administration > Appliance Access).

Related Information

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29574