0-DAY vulnerability in SOPHOS XG FIREWALL/SFOS
Sources
https://community.sophos.com/kb/en-us/135412
https://news.sophos.com/en-us/2020/04/26/asnarok/
https://community.sophos.com/kb/en-us/135414
https://www.zdnet.com/article/hackers-are-exploiting-a-sophos-firewall-zero-day/
Risks
Successful exploitation of this vulnerability may allow an attacker to execute code remotely on the affected versions of the Sophos XG Firewall.
Attackers are actively exploiting this vulnerability and can leverage the vulnerability to download a payload or use it to exfiltrate data like usernames and hashed passwords.
Recommended Actions
CERT.be recommends applying the updates released by the vendor if your configuration didn’t apply the patches automatically. CERT.be recommends limiting publicly accessible administration and configuration tools to an absolute minimum.
It is recommended to apply the following steps even if the devices were patched:
- Reset device administration accounts, https://community.sophos.com/kb/en-us/123732
- Reboot the XG device(s)
- Reset passwords for all local user accounts