Sophos Firewall zero-day vulnerability patched

SQL injection bug was actively exploited by hackers in the wild

Sophos XG Firewall zero-day patched

Sophos XG Firewall zero-day patched

Sophos is one of the prominent security vendors around, specializing in network, email, and communication security products for mainly enterprise sectors. Recently, the firm received several reports about Sophos’ XG Firewall zero-day[1] vulnerability related to the SQL infection process, which could only be exploited under certain circumstances, i.e., when particular settings are used. If abused, the bug would allow threat actors to steal sensitive information on the device, including local usernames, hashed passwords, and other data, ultimately allowing remote access.

Sophos has patched the SQL injection vulnerability and is now asking all users to update the XG Firewall as soon as possible. The publication was released today, on April 27, while the initial reports about bug exploitation arrived on April 22:[2]

Sophos received a report on April 22, 2020, at 20:29 UTC regarding an XG Firewall with a suspicious field value visible in the management interface. Sophos commenced an investigation and the incident was determined to be an attack against physical and virtual XG Firewall units.

Sophos submitted a request for the CVE just recently, so no CVE number[3] is not yet applied to the flaw. Nonetheless, the affected users should follow the relevant portals in case new details about the attack emerge in the future.

Hackers injected the data-stealing malware Asnarök

Sophos said that the SQL injection[4] bug within XG Firewall that was available for exploitation prior to the patch was never previously seen. In other words, the vulnerability is treated as a zero-day – it occurs when software developers are unaware of the flaw, although the attackers abuse it in the wild.

The attack could only affect XG devices with particular configuration settings (when the control panel was exposed to the internet) within the Firewall, as Sophos explained:

The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected.

In addition, passwords related to Active Directory (AD) or LDAP or other external authentication systems were not impacted by the vulnerability.

Sophos discovered that once SQL injection remote code execution vulnerability is exploited, malicious actors would download and install a payload that is known as Asnarök – a customized malware designed to steal Firewall data. This would allow the attackers to steal Firewall files related to all local device admins, remote access accounts, as well as user portal accounts. The good news is that Sophos did not find any evidence that hackers used the stolen data to access customers’ internal networks or anything besides the Firewall data.

Upon discovering the vulnerability, SophosLabs, along with the internal teams, managed to dissect the attack and its operation principles within just a few days and revealed all findings on the security blog post.[5] According to research, the attack was coordinated, although it is currently unknown who the actor is.

Remediate your system if you are using Sophos Firewall

A throughout investigation on the zero-day vulnerability quickly followed with a hotfix release for all clients that employ the XG Firewall software. The company applied all the patches automatically where the updates were set to the “Allow automatic installation of hotfixes” setting. Those who do not have that setting on, should go to the Backup & firmware > Firmware > Hotfix and enable automatic updates.

Once the patch is applied, users would see one of the following messages:

Hotfix applied for SQL Injection. Your device was NOT compromised

Hotfix applied for SQL injection and partially cleaned

In the case of the former, no other user interaction is required. Those who received the second message should perform the following measures to mitigate the attack:

  • Reset administrator accounts
  • Reboot XG device
  • Reset all passwords for local accounts

As additional measures, users should also reset the re-used passwords for the XG accounts and also disable HTTPS Admin Services and User Portal access on the WAN interface to prevent further attacks of similar nature.

The above-mentioned notifications will remain to be shown within the client, regardless of whether the relevant remediation steps were applied or not.