0-day vulnerability in Sophos XG Firewall under attack

[German]After experiencing issues with Sophos XG Firewall v18 MR1, the software has been pulled. And now there are reports that the Sophos XG Firewall is being attacked via 0-day exploits. Sophos has released an emergency patch to close the vulnerability. Here is some information about this 'drama' and the attack.


The trouble with the Sophos XG Firewall update

First a short review. A few weeks ago the company released firmware updates for Sophos UTM to version 9.703, as well as an update for the Sophos XG Firewall v18 MR1. In mid-April 2020 I had pointed out in the blog post Stop: Don't install Sophos UTM 9.703 Firmware that this update should not be installed due to serious issues. Sophos then had to withdraw this firmware for the Sophos UTM.

The German edition of the above blog post was commented on by blog reader Matthias Gutowsky (thank you for that), pointing out that the same problem exists with the Sophos XG Firewall. In this Sophos Community post, dated from April 14, 2020, it was noted that Sophos XG Firewall v18 MR1 had also been withdrawn and that a new version was being worked on. But the trouble continued. 

Sophos XG firewall under attack

At the weekend I already saw the following tweet from Catalin Cimpanu, pointing to an article at ZDNet with details about the attack.

Also Bleeping Computer has published this article about the 0-day exploit and the attacks. In a security advisory 135412 Sophos says, that that on April 22, 2020 at 20:29 UTC a report was received about a strange behavior of an XG firewall. Its management interface suddenly showed a suspicious field value. 


Unknown SQL injection vulnerability exploited

The investigation made by Sophos has identified the incident as an attack on XG physical and virtual firewall units.

  • The attack affected systems configured with either the management interface (HTTPS administration service) or the user portal exposed in the WAN zone.
  • It also affected firewalls that were manually configured to expose a firewall service (such as SSL VPN) in the WAN zone that uses the same port as the management or user portal.

The default configuration of the XG firewall, on the other hand, requires that all services operate on unique ports. The attack used a previously unknown pre-authentic SQL injection vulnerability to gain access to exposed XG devices. The aim of the exploit is to exfiltrate data resident on the XG firewall.

The data exfiltrated for each affected firewall includes all local user names and hashed passwords of all local user accounts. For example, local device administrators, user portal accounts, and accounts used for remote access. Sophos has published this blog post with more information about this attack.

Note: Passwords associated with external authentication systems such as Active Directory (AD) or LDAP have not been compromised

Sophos distributes emergency patch

After determining the components and effects of the attack, Sophos provided a hotfix for all supported XG firewall/SFOS versions. This hotfix should have already been applied to all affected devices with auto-update enabled. The hotfix addressed the SQL injection vulnerability and was intended to prevent further 0-day exploit and attacker access to the infrastructure via XG firewall. At the same time, the hotfix was intended to clean up any remnants of the attack.

Note: If the "Allow automatic installation of hotfixes" option is disabled, see KB 135415 for instructions on how to apply the required hotfix. 

Is Sophos XG Firewall compromised?

In a Security Advisory, Sophos gives some advice on how administrators can detect if the XG firewall is compromised. The XG firewall hotfix applied by Sophos includes a message in the XG management interface, indicating whether or not a particular XG firewall was affected by this attack. If the hotfix is installed, an uncompromised Sophos XG firewall will display the message below.

Nicht kompromittierte Sophos XG-Firewall mit Patch
(Alert on XG-Firewall, Source: Sophos, Click to zoom)

If the hotfix was successfully installed and the firewall was compromised, the following message should appear in the Control center.

Kompromittierte Sophos XG-Firewall mit Patch
(Compromised Sophos XG-Firewall, Source: Sophos, Click to zoom)

Customers with compromised firewalls should respond and reboot their XG devices. In addition, the passwords of all local user accounts should be changed. Details can be found in this Sophos advisory.

Similar articles:
Stop: Don't install Sophos UTM 9.703 Firmware
Revised Firmware update Sophos UTM 9.703-3 released

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *