Hackers exploited SQL injection flaw to compromise Sophos XG firewall devices

Anti-virus firewall solutions provider Sophos recently revealed that cyber criminals exploited a SQL injection vulnerability in the management interface of XG firewall to exfiltrate user data such as usernames, passwords, and local device admins.

The security firm said it received a report on 22nd April regarding an XG Firewall with a suspicious field value visible in the management interface. After investigating the issue, the firm discovered the incident to be an attack against physical and virtual XG Firewall units.

"The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed to the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected," the firm said.

According to Sophos, the attack used a previously unknown pre-auth SQL injection vulnerability to gain access to exposed XG devices and exfiltrate XG Firewall-resident data. Hackers behind the activity compromised usernames and hashed passwords associated with user accounts that were being used for remote access. Sophos also revealed that hackers may have exfiltrated local device admins, user portal accounts, and accounts used for remote access.

After discovering the breach, Sophos began an investigation and deployed a hotfix to all supported XG Firewall/SFOS versions to eliminate the SQL injection vulnerability. The hotfix prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack.

Customers using compromised XG Firewall devices have been advised by Sophos to immediately download the hotfix, reset device administrator accounts, reset passwords for all local user accounts and reset passwords for any accounts where the XG credentials might have been reused.

Hackers could use stolen credentials to obtain remote access to organisations' IT systems

Commenting on hackers exploiting a security flaw to infiltrate XG firewall devices, Rody Quinlan, Security Response Manager at Tenable, told TEISS that "the SQL injection zero-day (CVE-2020-12271) affects the XG Firewall/Sophos Firewall Operating System (SFOS) and could allow attackers to exfiltrate “XG Firewall-resident data,” including usernames, hashed passwords, local user account credentials depending on the configuration.

"The vulnerability targets the XG Firewalls’s administration interface which is accessible via the user portal, accessible over HTTPs, or on the WAN zone. Systems are also affected when the port used for the user portal or administration interface is used to expose a firewall service, such as the SSL VPN.

"Attackers could reuse the credentials collected in a successful attack, including admin passwords, for remote access, or access to other applications, within an organization. The attack that triggered Sophos’s initial investigation and discovery of the zero-day also noted the presence of malware, Asnarok, on the device, that could modify services to ensure it ran each time the firewall was booted to maintain persistence,” he added.

The National Cyber Security Centre has issued the following advice for people who are using Sophos’ XG firewall solutions:

“We are aware of a vulnerability affecting a Sophos firewall product. The NCSC recommends following vendor best practice advice in the mitigation of vulnerabilities. Users should check their device to ensure auto-updates are turned on and they are using the latest version of the application.”

MORE ABOUT: