SQL Injection Vulnerability In Sophos XG Firewall That Was Under Active Exploit

A serious vulnerability in Sophos XG Firewall was under exploit. Specifically, hackers abused this bug to steal data from target devices.

Sophos XG Firewall Vulnerability

Reportedly, Sophos has disclosed an SQL vulnerability in its XG Firewall that hackers actively exploited.

Describing the details in an advisory, Sophos stated that they recently noticed an attack on XG devices which triggered them to investigate. As explained in the advisory,

The attack affected systems configured with either the administration (HTTPS service) or the User Portal exposed on the WAN zone.

Eventually, they could discover a previously unknown SQL injection vulnerability in XG Firewall. The hackers abused this flaw to target the devices with malicious payloads to steal data.

It was designed to download payloads intended to exfiltrate XG Firewall-resident data. The data for any specific firewall depends upon the specific configuration and may include usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access. Passwords associated with external authentication systems such as AD or LDAP are unaffected.

Sophos Released Emergency Fix

After noticing the incident, Sophos worked to develop and release a hotfix for all XG Firewall/SFOS versions.

This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack.

This hotfix rolled out for both compromised and non-compromised systems. Hence, all XG Firewall users will receive the patch. Moreover, they would also know about the compromise of their device through the popup notification after the hotfix application.

However, users who have disabled automatic installation of hotfixes need to manually update the device following the instructed procedure.

Besides, for users with compromised devices, Sophos also recommends resetting portal and device admin accounts, rebooting the XG device, resetting passwords, and resetting passwords of any other account with the same credentials as that of XG Firewall.

Also, as a precaution, Sophos advises disabling HTTPS Admin Services and User Portal access on the WAN interface to reduce the attack surface.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients