[ad_1]
Sophos has fixed a zero-day SQL injection vulnerability in its XG Firewall after receiving reports that it was actively exploited by hackers in attacks.
Sophos claims they received a report on April 22 that a suspicious field value was displayed in a customer’s Sophos XG Firewall admin interface and began an investigation.
“Sophos received a report on April 22, 2020 at 20:29 UTC regarding an XG Firewall with a suspicious field value visible on the admin interface. Sophos started an investigation and the incident was determined to be an attack on XG Firewall physical and virtual drives. The attack affected systems configured with administration (HTTPS service) or User Portal exposed in the WAN zone, “warned Sophos.
This attack used a previously unknown zero-day SQL injection vulnerability and, depending on the firewall configuration, could have allowed attackers to steal data from the firewall, including “usernames and hash passwords for local device administrators, administrators of the portal, and user accounts used for remote access. “
Sophos claims that attackers were unable to access passwords associated with external authentication systems such as LDAP and Active Directory services.
Review released
Yesterday, Sophos started sending this hotfix to all Sophos XG firewalls that have the “Allow automatic hotfix installation” setting enabled on the device. For those who have this setting disabled, you can follow these instructions to install the hotfix.
“This hotfix removed the SQL injection vulnerability that prevented further exploitation, prevented XG Firewall from accessing the attacker’s infrastructure, and removed the remnants of the attack,” he explains in his security bulletin.
Sophos claims that they completed the release of the hotfix to all XG Firewall drives that have automatic updating enabled on 2020-04-25 22:00.
How to know if your Sophos XG firewall was compromised
To help customers determine if their XG Firewall has been compromised, the review will display an alert in the XG admin interface indicating whether or not their device was compromised.
On devices that were not compromised, the patch will display an alert stating “Patch applied for SQL injection. Your device was NOT compromised.”
Firewalls that have been compromised by the vulnerability, the admin interface will display a “Patch applied for SQL injection and partially cleaned” warning message.
For compromised devices, Sophos also recommends that you take the following additional steps to ensure that the firewall is protected.
- Reset portal administrator and device administrator accounts
- Restart XG devices
- Reset passwords for all local user accounts
- Although the passwords were encrypted, it is recommended to reset the passwords for any account where XG credentials could have been reused.
Sophos also warns that even after applying the patch and completing the correction steps, this alert will continue to display in the administration interface.
