Earlier this week, Sophos came to know about an SQL injection vulnerability in its XG Firewall. Upon investigation, Cybersecurity firm Sophos found out that physical and virtual XG Firewall units came under attack, which affected systems configured with either the administration (HTTPS service) or the User Portal exposed to the WAN zone. The company has since then released a security update patching a zero-day vulnerability in one of its products.
Sophos Firewall encounters SQL injection vulnerability
In this attack, hackers managed to exploit previously unknown SQL injection vulnerability, which could help them gain access to exposed XG devices.
In its recent security advisory, Sophos wrote:
“The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices. It was designed to download payloads intended to exfiltrate XG Firewall-resident data.”
Once exploited, affected systems would download payload that was designed to exfiltrate resident data on Sophos XG Firewall.
The company deployed a hotfix to all supported XG Firewall and SFOS versions to neutralize threats posed by the SQL injection vulnerability and prevent further exploitation. According to Sophos, this would the XG Firewall from accessing any attacker infrastructure and clean up any “remnants” from the attack.
Affected data includes usernames and hashed passwords for the local device admin, portal admins, and user accounts used for remote access, depending on specific configurations for specific firewalls. According to passwords linked with external authentication systems like AD or LDAP remain unaffected.
“At this time, there is no indication that the attack accessed anything on the local networks behind any impacted XG Firewall.”
Are you Sophos XG Firewall customer?
If you are Sophos XG Firewall customer, you can check whether your firewall was affected by the vulnerability. Sophos XG management interface includes an alert that indicates whether or not your XG Firewall was affected by this attack. Sophos recommends additional steps, as follows:
- Reset portal administrator and device administrator accounts
- Reboot the XG device
- Reset passwords for all local user accounts
- Reset password for any account where the XG credentials might have been reused
The attack caused trouble to all versions of XG Firewall firmware on both physical and virtual firewalls. The XG Firewall firmware/SFOS received the hotfix version SFOS 17.1, 17.5, 18.0 apply all the supported versions. Meanwhile, customers on older versions of SFOS are advised to upgrade to a supported version immediately.