Zero-day in Sophos XG Firewall product exploited

News by Doug Olenick

Sophos and its customers were victimised when a previously unknown SQL injection vulnerability in the company’s physical and virtual XG Firewall units was exploited

The security firm Sophos and its customers were victimised when a previously unknown SQL injection vulnerability in the company’s physical and virtual XG Firewall units was exploited.

The attack was first reported on April 22 when a suspicious field value visible in the firewall management interface was detected. The attack used a previously unknown pre-auth SQL injection vulnerability that created a remote code execution situation that enabled the attackers to gain access to exposed XG devices with the intention of exfiltrating XG Firewall-resident data. This included all local usernames and hashed passwords of any local user accounts. However, Sophos does not believe any data was removed from the affected accounts.

“The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected,” Sophos said.

Sophos’ initial reaction was to determine the components of the attack and to apply a hotfix that eliminated the threat to all supported XG Firewall/SFOS versions. The company notified its customers of the threat, whether or not their system was involved in the attack and when the hotfix was applied via a pop-up message on the XG management interface.

“The exploit of this vulnerability resulted in the attacker being able to insert a one-line command into a database table. This initial injected command triggered an affected device to download a Linux shell script named Install.sh from a remote server on the malicious domain sophosfirewallupdate[.]com,” the company said.

The script ran then ran a series of poorly designed Postgres SQL commands that instead of modifying certain tables in the database in fact made visible the attacker’s own injected SQL command line on the user interface of the firewall’s administrative panel for all to see.

Additional shells were dropped to maintain persistence and to set up the scenario for removing data from the impacted system.

In an email to SC Media UK, Rody Quinlan,  security response manager at Tenable, described the flaw: "The SQL injection zero-day (CVE-2020-12271) affects the XG Firewall/Sophos Firewall Operating System (SFOS) and could allow attackers to exfiltrate “XG Firewall-resident data,” including usernames, hashed passwords, local user account credentials depending on the configuration.

"The vulnerability targets the XG Firewalls’s administration interface which is accessible via the user portal, accessible over HTTPs, or on the WAN zone. Systems are also affected when the port used for the user portal or administration interface is used to expose a firewall service, such as the SSL VPN.

"Attackers could reuse the credentials collected in a successful attack, including admin passwords, for remote access, or access to other applications, within an organisation. The attack that triggered Sophos’s initial investigation and discovery of the zero-day also noted the presence of  malware, Asnarok, on the device, that could modify services to ensure it ran each time the firewall was booted to maintain persistence. Sophos has published a separate article, “Asnarök Trojan targets firewalls” which provides more detail.

"As well as implementing the hotfix pushed out by Sophos, organisations should work to reduce the attack surface where possible by disabling the HTTPS Admin Services and User Portal access on the WAN interface."

The original version of this article was first published on SC US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews