Expert Reaction On Hackers Exploit Zero-day In Sophos XG Firewall, Fix Released

By   ISBuzz Team
Writer , Information Security Buzz | Apr 28, 2020 05:12 am PST

It has been reported that Sophos has fixed a zero-day SQL injection vulnerability in their XG Firewall after receiving reports that hackers actively exploited it in attacks.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Rody Quinlan
Rody Quinlan , Security Response Manager
InfoSec Expert
April 28, 2020 1:16 pm

The SQL injection zero-day (CVE-2020-12271) affects the XG Firewall/Sophos Firewall Operating System (SFOS) and could allow attackers to exfiltrate “XG Firewall-resident data,” including usernames, hashed passwords, local user account credentials depending on the configuration.

The vulnerability targets the XG Firewalls’s administration interface which is accessible via the user portal, accessible over HTTPs, or on the WAN zone. Systems are also affected when the port used for the user portal or administration interface is used to expose a firewall service, such as the SSL VPN.

Attackers could reuse the credentials collected in a successful attack, including admin passwords, for remote access, or access to other applications, within an organization. The attack that triggered Sophos’s initial investigation and discovery of the zero-day also noted the presence of malware, Asnarok, on the device , that could modify services to ensure it ran each time the firewall was booted to maintain persistence. Sophos has published a separate article, “Asnarök Trojan targets firewalls” which provides more detail.

As well as implementing the hotfix pushed out by Sophos, organizations should work to reduce the attack surface where possible by disabling the HTTPS Admin Services and User Portal access on the WAN interface.

Last edited 3 years ago by Rody Quinlan

Recent Posts

Would love your thoughts, please comment.x