SQL Injection Vulnerability In Sophos XG Firewall That Was Under Active Exploit

  •  
  •  
  •  
  • 1
  •  
  •  
  •  
    1
    Share

A serious vulnerability in Sophos XG Firewall was under exploit. Specifically, hackers abused this bug to steal data from target devices.

Sophos XG Firewall Vulnerability

Reportedly, Sophos has disclosed an SQL vulnerability in its XG Firewall that hackers actively exploited.

Describing the details in an advisory, Sophos stated that they recently noticed an attack on XG devices which triggered them to investigate. As explained in the advisory,

The attack affected systems configured with either the administration (HTTPS service) or the User Portal exposed on the WAN zone.

Eventually, they could discover a previously unknown SQL injection vulnerability in XG Firewall. The hackers abused this flaw to target the devices with malicious payloads to steal data.

It was designed to download payloads intended to exfiltrate XG Firewall-resident data. The data for any specific firewall depends upon the specific configuration and may include usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access. Passwords associated with external authentication systems such as AD or LDAP are unaffected.

Sophos Released Emergency Fix

After noticing the incident, Sophos worked to develop and release a hotfix for all XG Firewall/SFOS versions.

This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack.

This hotfix rolled out for both compromised and non-compromised systems. Hence, all XG Firewall users will receive the patch. Moreover, they would also know about the compromise of their device through the popup notification after the hotfix application.

However, users who have disabled automatic installation of hotfixes need to manually update the device following the instructed procedure.

Besides, for users with compromised devices, Sophos also recommends resetting portal and device admin accounts, rebooting the XG device, resetting passwords, and resetting passwords of any other account with the same credentials as that of XG Firewall.

Also, as a precaution, Sophos advises disabling HTTPS Admin Services and User Portal access on the WAN interface to reduce the attack surface.

Let us know your thoughts in the comments.

The following two tabs change content below.

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!