It has been reported that Sophos has fixed a zero-day SQL injection vulnerability in their XG Firewall after receiving reports that hackers actively exploited it in attacks.
The SQL injection zero-day (CVE-2020-12271) affects the XG Firewall/Sophos Firewall Operating System (SFOS) and could allow attackers to exfiltrate “XG Firewall-resident data,” including usernames, hashed passwords, local user account credentials depending on the configuration.
The vulnerability targets the XG Firewalls’s administration interface which is accessible via the user portal, accessible over HTTPs, or on the WAN zone. Systems are also affected when the port used for the user portal or administration interface is used to expose a firewall service, such as the SSL VPN.
Attackers could reuse the credentials collected in a successful attack, including admin passwords, for remote access, or access to other applications, within an organization. The attack that triggered Sophos’s initial investigation and discovery of the zero-day also noted the presence of malware, Asnarok, on the device , that could modify services to ensure it ran each time the firewall was booted to maintain persistence. Sophos has published a separate article, “Asnarök Trojan targets firewalls” which provides more detail.
As well as implementing the hotfix pushed out by Sophos, organizations should work to reduce the attack surface where possible by disabling the HTTPS Admin Services and User Portal access on the WAN interface.
The SQL injection zero-day (CVE-2020-12271) affects the XG Firewall/Sophos Firewall Operating System (SFOS) and could allow attackers to exfiltrate “XG Firewall-resident data,” including usernames, hashed passwords, local user account credentials depending on the configuration.
The vulnerability targets the XG Firewalls’s administration interface which is accessible via the user portal, accessible over HTTPs, or on the WAN zone. Systems are also affected when the port used for the user portal or administration interface is used to expose a firewall service, such as the SSL VPN.
Attackers could reuse the credentials collected in a successful attack, including admin passwords, for remote access, or access to other applications, within an organization. The attack that triggered Sophos’s initial investigation and discovery of the zero-day also noted the presence of malware, Asnarok, on the device , that could modify services to ensure it ran each time the firewall was booted to maintain persistence. Sophos has published a separate article, “Asnarök Trojan targets firewalls” which provides more detail.
As well as implementing the hotfix pushed out by Sophos, organizations should work to reduce the attack surface where possible by disabling the HTTPS Admin Services and User Portal access on the WAN interface.