Hackers are exploiting a Sophos firewall zero-day

silversurfer

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Forum Veteran
Aug 17, 2014
12,726
123,827
8,399
Content source
https://www.zdnet.com/article/hackers-are-exploiting-a-sophos-firewall-zero-day/
Cyber-security firm Sophos has published an emergency security update on Saturday to patch a zero-day vulnerability in its XG enterprise firewall product that was being abused in the wild by hackers.

Sophos said it first learned of the zero-day on late Wednesday, April 22, after it received a report from one of its customers. The customer reported seeing "a suspicious field value visible in the management interface."

After investigating the report, Sophos determined this was an active attack and not an error in its product.

"The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices," Sophos said in a security advisory today.
Click to expand...
 
  • Like
  • Wow
  • +Reputation
Reactions: shmu26, Stopspying, Protomartyr and 14 others
Guess its good to see ,that Sophos 1.admitted there product had a problem 2. responded to a customers concern( I am shocked they have not taken credit for themselves!) Bad business maybe ( doubt to products ability)or customer boost ( they care about me lol ,sorry for the sarcasm)Does anyone know if Sophos was pressured into this admittance ?
 
  • Like
Reactions: [correlate], upnorth, Stopspying and 5 others
Dave Russo said:
Guess its good to see ,that Sophos 1.admitted there product had a problem 2. responded to a customers concern( I am shocked they have not taken credit for themselves!) Bad business maybe ( doubt to products ability)or customer boost ( they care about me lol ,sorry for the sarcasm)Does anyone know if Sophos was pressured into this admittance ?
Click to expand...
i found that this good mannar and gain more respect from your customer
nothing is perfect and ideal.it is better to fix the mistake as soon you discover it instead of denying it and cause more problems and lose your customer trust
 
  • Like
  • +Reputation
Reactions: [correlate], upnorth, Stopspying and 5 others
It’s good that they investigated and are proactive in patching this, but it is at the same time frightening that a product like XG Firewall, usually responsible for establishing your network’s border with the Internet, can be vulnerable to unauthenticated exploits from both the WAN and LAN sides, depending on how you’ve configured things.
For reasons like this, I never recommend exposing a router/firewall WebUI on the WAN side. If you need to remotely administer it, set up a VPN or SSH key based authentication.
For larger and less trusted networks I wouldn’t even allow the LAN side subnet to have access to the admin interface because of the risk of drive by malware and compromised devices on the local network.

I switched to PFSense from Sophos XG a while back mainly because I couldn’t get used to the UI. On my PFSense box there is a separate admin wired interface that I plug into in order to get to the UI.
 
  • Like
  • +Reputation
Reactions: blackice, [correlate], upnorth and 6 others
More posts about this vulnerability.

www.securityweek.com

Malware Delivered to Sophos Firewalls via Zero-Day Vulnerability

Sophos informed customers that hackers delivered malware to its XG firewalls by exploiting a zero-day vulnerability.
www.securityweek.com www.securityweek.com

www.bleepingcomputer.com

Hackers exploit zero-day in Sophos XG Firewall, fix released

Sophos has fixed a zero-day SQL injection vulnerability in their XG Firewall after receiving reports that hackers actively exploited it in attacks.
www.bleepingcomputer.com www.bleepingcomputer.com


scorpionv said:
Is Sophos Home UTM (previously Astaro) also affected?
Click to expand...

I've seen no reference to other Sophos firewalls being affected by this zero-day.
 
  • Like
Reactions: [correlate], upnorth, Protomartyr and 2 others
More on this issue -

"Attackers have been targeting the Sophos XG Firewall (both physical and virtual versions) using a zero-day exploit, according to the security firm – with the ultimate goal of dropping the Asnarok malware on vulnerable appliances.
Sophos said in a posting updated on Monday that the bug in question is a pre-authentication SQL injection vulnerability (a CVE is forthcoming) that leads to remote code execution (RCE). It affects systems configured with either the administration interface (called the “HTTPS admin service”) or the user portal exposed to the WAN zone."

threatpost.com

Hackers Mount Zero-Day Attacks on Sophos Firewalls

A pre-auth SQL injection bug leading to remote code execution is at the heart of a data-stealing campaign against XG firewalls, using the Asnarok trojan.
threatpost.com threatpost.com
 
  • Like
Reactions: Protomartyr, [correlate], Gandalf_The_Grey and 3 others
It was used in targeted attacks. Nothing we home users need to worry about.

"Multiple customers were targeted.


According to the company, the attack was aimed at systems with the administration service or the user portal exposed to the internet. "
 
  • Like
Reactions: Protomartyr, blackice, [correlate] and 2 others
As we described last week in this KBA, Sophos and its customers were the victims of a coordinated attack by an unknown adversary. This attack revealed a previously unknown SQL injection vulnerability that led to remote code execution on some of our firewall products. As described in the KBA, the vulnerability has since been remediated.

This post is the result of many hours of research and reverse-engineering by SophosLabs and Sophos internal security teams, working in conjunction with product management to coordinate a hotfix and global response within two days of discovering this attack. In the spirit of transparency, we want to describe the nature of the attack and a detailed analysis of the malware based on our investigation and current understanding. There was significant orchestration involved in the execution of the attack, using a chain of Linux shell scripts that eventually downloaded ELF binary executable malware compiled for a firewall operating system. This attack targeted Sophos products and apparently was intended to steal sensitive information from the firewall.

The infection process started when an attacker discovered, and exploited, a zero-day SQL injection remote code execution vulnerability. The exploit of this vulnerability resulted in the attacker being able to insert a one-line command into a database table.
Click to expand...
The malware demonstrated the capability to retrieve only firewall resident information, which may have included:
  • The firewall’s license and serial number
  • A list of the email addresses of user accounts that were stored on the device, followed by the primary email belonging to the firewall’s administrator account
  • Firewall users’ names, usernames, the encrypted form of the passwords, and the salted SHA256 hash of the administrator account’s password. Passwords were not stored in plain text.
  • A list of the user IDs permitted to use the firewall for SSL VPN and accounts that were permitted to use a “clientless” VPN connection.
The malware then queried an internal database of the firewall to retrieve a list of the IP address allocation permissions for the users of the firewall, as well as information about the appliance itself: What version of the operating system was running, what type of CPU and amount of memory was present on the device; how long it had been operational since the last reboot (the ‘uptime’); and the output of the ifconfig and ARP tables.
Click to expand...
news.sophos.com

“Asnarök” Trojan targets firewalls

Customized malware used to compromise physical and virtual firewalls
news.sophos.com news.sophos.com
 
  • Like
  • +Reputation
  • Applause
Reactions: scorpionv, Protomartyr, blackice and 3 others
You must log in or register to reply here.

You may also like...