www.belgium.be Logo of the federal government

0-DAY vulnerability in SOPHOS XG FIREWALL/SFOS

Reference: 
Advisory #2020-014
Version: 
1
Affected software: 
Sophos XG Firewall [SFOS] 17.0
Sophos XG Firewall [SFOS] 17.1
Sophos XG Firewall [SFOS] 17.5
Sophos XG Firewall [SFOS] 18.0
Type: 
Remote Code Execution [RCE]
Date: 
28/04/2020

Sources

https://community.sophos.com/kb/en-us/135412

https://news.sophos.com/en-us/2020/04/26/asnarok/

https://community.sophos.com/kb/en-us/135414

https://www.zdnet.com/article/hackers-are-exploiting-a-sophos-firewall-zero-day/

Risks

Successful exploitation of this vulnerability may allow an attacker to execute code remotely on the affected versions of the Sophos XG Firewall.
Attackers are actively exploiting this vulnerability and can leverage the vulnerability to download a payload or use it to exfiltrate data like usernames and hashed passwords. 

Recommended Actions

CERT.be recommends applying the updates released by the vendor if your configuration didn’t apply the patches automatically. CERT.be recommends limiting publicly accessible administration and configuration tools to an absolute minimum.

It is recommended to apply the following steps even if the devices were patched:

- Reset device administration accounts,  https://community.sophos.com/kb/en-us/123732

- Reboot the XG device(s)

- Reset passwords for all local user accounts

References

https://community.sophos.com/kb/en-us/135415

https://community.sophos.com/kb/en-us/123732