Hackers exploit SQL injection zero-day issue in Sophos firewall

Cybersecurity firm Sophos releases an emergency patch to address an SQL injection flaw in its XG Firewall product that has been exploited in the wild.

Cybersecurity firm Sophos has released an emergency patch to address an SQL injection zero-day vulnerability affecting its XG Firewall product that has been exploited in the wild.

Sophos was informed of the attacks exploiting the zero-day issue by one of its customers on April 22. The customer noticed “a suspicious field value visible in the management interface.”

Sophos investigated the incident and determined that hackers were targeting systems configured with either the administration (HTTPS service) or the User Portal exposed on the WAN zone.

The attackers exploited an SQL injection zero-day vulnerability to gain access to exposed XG devices.

“The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices.” reads the advisory published by Sophos.

“It was designed to download payloads intended to exfiltrate XG Firewall-resident data. The data for any specific firewall depends upon the specific configuration and may include usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access.” “Passwords associated with external authentication systems such as AD or LDAP are unaffected. At this time, there is no indication that the attack accessed anything on the local networks behind any impacted XG Firewall.”

The hackers exploited the SQL injection flaw to download malicious code on the device that was designed to steal files from the XG Firewall.

Attackers could exploit the issue to steal sensitive data including usernames and hashed passwords for the firewall device admin, and user accounts used for remote access. Sophos pointed out that passwords associated with external authentication systems such as AD or LDAP are unaffected.

The Sophos’s advisory states that there is no indication that the attack accessed anything on the local networks behind any impacted XG Firewall.

The company confirmed that it did not find any evidence that threat actors used the stolen passwords to access XG Firewall devices.

Sophos already issued an automatic update to address all XG Firewalls having the auto-update feature enabled.

“After determining the components and impact of the attack, Sophos deployed a hotfix to all supported XG Firewall/SFOS versions.” states the advisory.

“This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack.”

Sophos’s update will also add a special box in the XG Firewall control panel to allow users to determine if their device has been compromised.

For users that had they XG Firewall devices compromised and that have received the hotfix, Sophos strongly recommend the following additional steps to fully remediate the issue:

1. Reset portal administrator and device administrator accounts
2. Reboot the XG device(s)
3. Reset passwords for all local user accounts
4. Although the passwords were hashed, it is recommended that passwords are reset for any accounts where the XG credentials might have been reused

The security firm also recommends that companies to disable the firewall’s administration interfaces on the internet-facing ports if they don’t need the feature.

Please give me your vote for European Cybersecurity Blogger Awards – VOTE FOR YOUR WINNERS
https://docs.google.com/forms/d/e/1FAIpQLSe8AkYMfAAwJ4JZzYRm8GfsJCDON8q83C9_wu5u10sNAt_CcA/viewform

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Sophos, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]