Sophos has fixed a zero-day SQL injection vulnerability in their XG Firewall after receiving reports that hackers actively exploited it in attacks.

Sophos states that they received a report on April 22nd that there was a suspicious field value being displayed in a customer’s Sophos XG Firewall management interface and began an investigation.

“Sophos received a report on April 22, 2020, at 20:29 UTC regarding an XG Firewall with a suspicious field value visible in the management interface. Sophos commenced an investigation and the incident was determined to be an attack against physical and virtual XG Firewall units. The attack affected systems configured with either the administration (HTTPS service) or the User Portal exposed on the WAN zone,” Sophos warned.

“This attack used a previously unknown zero-day SQL injection vulnerability, and depending on the configuration of the firewall, could have allowed attackers to steal data from the firewall including usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access.”

Sophos states that passwords associated with external authentications systems such as LDAP and Active Directory services were not able to be accessed by the attackers.

Hotfix released

Yesterday, Sophos began pushing out this hotfix to all Sophos XG Firewalls that have the “Allow automatic installation of hotfixes” setting enabled on the device.  For those who have this setting disabled, you can follow these instructions to install the hotfix.

“This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack,” explain in their security bulletin.

Sophos states that they completed the rollout of the hotfix to all XG Firewall units who have auto-update enabled at 2020-04-25 22:00.

How to tell if your Sophos XG Firewall was compromised

To help customers determine if their XG Firewall has been compromised, the hotfix will display an alert on the XG management interface stating whether your device was compromised or not.

Devices that were not compromised, the hotfix will display an alert stating “Hotfix applied for SQL Injection. Your device was NOT compromised.”

Firewalls that have been compromised by the vulnerability, the management interface will display a message warning “Hotfix applied for SQL injection and partially cleaned.

1. Reset portal administrator and device administrator accounts
2. Reboot the XG device(s)
3. Reset passwords for all local user accounts
4. Although the passwords were hashed, it is recommended that passwords are reset for any accounts where the XG credentials might have been reused

Sophos also warns that even after applying the hotfix and performing remediation steps, this alert will continue to be shown in the management interface.

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.