silversurfer

Level 64
Verified
Trusted
Content Creator
Malware Hunter
Cyber-security firm Sophos has published an emergency security update on Saturday to patch a zero-day vulnerability in its XG enterprise firewall product that was being abused in the wild by hackers.

Sophos said it first learned of the zero-day on late Wednesday, April 22, after it received a report from one of its customers. The customer reported seeing "a suspicious field value visible in the management interface."

After investigating the report, Sophos determined this was an active attack and not an error in its product.

"The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices," Sophos said in a security advisory today.
 

Dave Russo

Level 14
Verified
Guess its good to see ,that Sophos 1.admitted there product had a problem 2. responded to a customers concern( I am shocked they have not taken credit for themselves!) Bad business maybe ( doubt to products ability)or customer boost ( they care about me lol ,sorry for the sarcasm)Does anyone know if Sophos was pressured into this admittance ?
 

DDE_Server

Level 21
Verified
Guess its good to see ,that Sophos 1.admitted there product had a problem 2. responded to a customers concern( I am shocked they have not taken credit for themselves!) Bad business maybe ( doubt to products ability)or customer boost ( they care about me lol ,sorry for the sarcasm)Does anyone know if Sophos was pressured into this admittance ?
i found that this good mannar and gain more respect from your customer
nothing is perfect and ideal.it is better to fix the mistake as soon you discover it instead of denying it and cause more problems and lose your customer trust
 

MacDefender

Level 11
Verified
It’s good that they investigated and are proactive in patching this, but it is at the same time frightening that a product like XG Firewall, usually responsible for establishing your network’s border with the Internet, can be vulnerable to unauthenticated exploits from both the WAN and LAN sides, depending on how you’ve configured things.
For reasons like this, I never recommend exposing a router/firewall WebUI on the WAN side. If you need to remotely administer it, set up a VPN or SSH key based authentication.
For larger and less trusted networks I wouldn’t even allow the LAN side subnet to have access to the admin interface because of the risk of drive by malware and compromised devices on the local network.

I switched to PFSense from Sophos XG a while back mainly because I couldn’t get used to the UI. On my PFSense box there is a separate admin wired interface that I plug into in order to get to the UI.
 

Stopspying

Level 10
More posts about this vulnerability.




Is Sophos Home UTM (previously Astaro) also affected?

I've seen no reference to other Sophos firewalls being affected by this zero-day.
 

Stopspying

Level 10
More on this issue -

"Attackers have been targeting the Sophos XG Firewall (both physical and virtual versions) using a zero-day exploit, according to the security firm – with the ultimate goal of dropping the Asnarok malware on vulnerable appliances.
Sophos said in a posting updated on Monday that the bug in question is a pre-authentication SQL injection vulnerability (a CVE is forthcoming) that leads to remote code execution (RCE). It affects systems configured with either the administration interface (called the “HTTPS admin service”) or the user portal exposed to the WAN zone."

 

shmu26

Level 85
Verified
Trusted
Content Creator
It was used in targeted attacks. Nothing we home users need to worry about.

"Multiple customers were targeted.


According to the company, the attack was aimed at systems with the administration service or the user portal exposed to the internet. "
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
As we described last week in this KBA, Sophos and its customers were the victims of a coordinated attack by an unknown adversary. This attack revealed a previously unknown SQL injection vulnerability that led to remote code execution on some of our firewall products. As described in the KBA, the vulnerability has since been remediated.

This post is the result of many hours of research and reverse-engineering by SophosLabs and Sophos internal security teams, working in conjunction with product management to coordinate a hotfix and global response within two days of discovering this attack. In the spirit of transparency, we want to describe the nature of the attack and a detailed analysis of the malware based on our investigation and current understanding. There was significant orchestration involved in the execution of the attack, using a chain of Linux shell scripts that eventually downloaded ELF binary executable malware compiled for a firewall operating system. This attack targeted Sophos products and apparently was intended to steal sensitive information from the firewall.

The infection process started when an attacker discovered, and exploited, a zero-day SQL injection remote code execution vulnerability. The exploit of this vulnerability resulted in the attacker being able to insert a one-line command into a database table.
The malware demonstrated the capability to retrieve only firewall resident information, which may have included:
  • The firewall’s license and serial number
  • A list of the email addresses of user accounts that were stored on the device, followed by the primary email belonging to the firewall’s administrator account
  • Firewall users’ names, usernames, the encrypted form of the passwords, and the salted SHA256 hash of the administrator account’s password. Passwords were not stored in plain text.
  • A list of the user IDs permitted to use the firewall for SSL VPN and accounts that were permitted to use a “clientless” VPN connection.
The malware then queried an internal database of the firewall to retrieve a list of the IP address allocation permissions for the users of the firewall, as well as information about the appliance itself: What version of the operating system was running, what type of CPU and amount of memory was present on the device; how long it had been operational since the last reboot (the ‘uptime’); and the output of the ifconfig and ARP tables.
 
Top