Overview
A critical remote code execution vulnerability in Sophos Cyberoam Firewall appliances running supported CyberoamOS (CROS) version 10.6.6 MR-5 and earlier was recently discovered and responsibly disclosed to Sophos by an external security researcher.
The vulnerability can be potentially exploited by sending a malicious request during an email quarantine release, which would enable an unauthenticated remote attacker to execute arbitrary commands.
Sophos would like to thank Nadav Voloch, from the Research Team at https://www.vpnmentor.com/, for the responsible disclosure of this vulnerability.
The following sections are covered:
Applies to the following Sophos products and versions
A hotfix has been released for the following CROS versions:
- 10.6.2 MR1
- 10.6.3 MR5
- 10.6.4
- 10.6.4 MR1
- 10.6.4.044 (OEM)
- 10.6.5
- 10.6.5 MR1
- 10.6.6
- 10.6.6 MR1
- 10.6.6 MR2
- 10.6.6 MR3
- 10.6.6 MR4
- 10.6.6 MR5
Remediation
- No action required for customers running CROS version 10.6.2 MR1,10.6.3 MR5, 10.6.4 and later, who use the default automatic updates setting. The security update has been automatically installed during the period of 24 – 26 February 2020.
- For customers who have disabled automatic updates, the security update is available via Sophos Support.
- The hotfix for the vulnerability will also be included in CROS version 10.6.6 MR6.
Changes to Email Quarantine Process
Previously, End Users would be able to release quarantined emails directly from the spam digest email. This is no longer possible. If users attempt to do this, they will receive a message asking them to sign into the User Portal.
KBA 135224 has been created to explain the new process of releasing quarantined emails for end users.
Additionally, KBA 135222 documents the message and change in behavior when a user clicks on the Release link in the spam digest email.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.