0-DAY SQL injection vulnerability in SOPHOS XG FIREWALL/SFOS
Sources
- https://community.sophos.com/kb/en-us/135412
- https://news.sophos.com/en-us/2020/04/26/asnarok/
- https://community.sophos.com/kb/en-us/135414
- https://www.zdnet.com/article/hackers-are-exploiting-a-sophos-firewall-zero-day/
Risks
Successful exploitation of this vulnerability may allow an attacker to execute code remotely on the affected versions of the Sophos XG Firewall.
Attackers are actively exploiting this vulnerability and can leverage the vulnerability to download a payload or use it to exfiltrate data like usernames and hashed passwords.
Description
The zero-day vulnerability was disclosed on April 22, 2020, and is actively exploited by attackers.
Attackers are targeting XG Firewall devices’ configuration with a publicly available administration interface (HTTPS service) or user portal via the internet.
The flaw exists due to an SQL injection bug in the XG enterprise firewall product on both physical and virtual firewalls.
The UK-based company Sophos, has already pushed an automatic update to patch all XG Firewalls that have the auto-update feature enabled.
For more information regarding how this vulnerability is exploited please refer to:
Recommended Actions
CERT.be recommends applying the updates released by the vendor if your configuration didn’t apply the patches automatically. CERT.be recommends limiting publicly accessible administration and configuration tools to an absolute minimum.
It is recommended to apply the following steps even if the devices were patched:
- Reset device administration accounts
- Reboot the XG device(s)
- Reset passwords for all local user accounts