[German]After experiencing issues with Sophos XG Firewall v18 MR1, the software has been pulled. And now there are reports that the Sophos XG Firewall is being attacked via 0-day exploits. Sophos has released an emergency patch to close the vulnerability. Here is some information about this ‘drama' and the attack.
The trouble with the Sophos XG Firewall update
Applies to the following Sophos products and versions Sophos UTM What to do Quality of Service (QoS) is a mechanism used to control bandwidth utilization. This article is not a comprehensive explanation of how QoS works, but rather a tutorial on the implementation of QoS on the UTM. The UTM uses four tabs to configure a full QoS implementation. Hackers are exploiting a Sophos firewall zero-day. Sophos releases emergency patch to fix SQL injection bug exploited in the wild, impacting its XG Firewall product. Thank you for contacting the Sophos Community. So if you are expecting the traffic to come from 173.288.57.201 and not another IP then your Firewall rule is correct. Did you select automatic Firewall rule and have another Firewall from the ZoomOnPremZC to 173.288.57.201 (shouldn't be necessary if they are the ones initiating the traffic).
First a short review. A few weeks ago the company released firmware updates for Sophos UTM to version 9.703, as well as an update for the Sophos XG Firewall v18 MR1. In mid-April 2020 I had pointed out in the blog post Stop: Don't install Sophos UTM 9.703 Firmware that this update should not be installed due to serious issues. Sophos then had to withdraw this firmware for the Sophos UTM.
The German edition of the above blog post was commented on by blog reader Matthias Gutowsky (thank you for that), pointing out that the same problem exists with the Sophos XG Firewall. In this Sophos Community post, dated from April 14, 2020, it was noted that Sophos XG Firewall v18 MR1 had also been withdrawn and that a new version was being worked on. But the trouble continued.
Sophos XG firewall under attack
At the weekend I already saw the following tweet from Catalin Cimpanu, pointing to an article at ZDNet with details about the attack.
BREAKING: Hackers are exploiting a Sophos firewall zero-day
– Attacks detected on Wednesday
– Hackers exploited an SQLi to steal device data (creds)
– Patch pushed out earlier today
– Patch also removes artifacts from compromised XG firewall systemshttps://t.co/RSeABqz7jcpic.twitter.com/c971ypwgao
— Catalin Cimpanu (@campuscodi) April 26, 2020
Also Bleeping Computer has published this article about the 0-day exploit and the attacks. In a security advisory 135412 Sophos says, that that on April 22, 2020 at 20:29 UTC a report was received about a strange behavior of an XG firewall. Its management interface suddenly showed a suspicious field value.
Unknown SQL injection vulnerability exploited
The investigation made by Sophos has identified the incident as an attack on XG physical and virtual firewall units.
- The attack affected systems configured with either the management interface (HTTPS administration service) or the user portal exposed in the WAN zone.
- It also affected firewalls that were manually configured to expose a firewall service (such as SSL VPN) in the WAN zone that uses the same port as the management or user portal.
The default configuration of the XG firewall, on the other hand, requires that all services operate on unique ports. The attack used a previously unknown pre-authentic SQL injection vulnerability to gain access to exposed XG devices. The aim of the exploit is to exfiltrate data resident on the XG firewall.
The data exfiltrated for each affected firewall includes all local user names and hashed passwords of all local user accounts. For example, local device administrators, user portal accounts, and accounts used for remote access. Sophos has published this blog post with more information about this attack.
Note: Passwords associated with external authentication systems such as Active Directory (AD) or LDAP have not been compromised
Sophos distributes emergency patch
After determining the components and effects of the attack, Sophos provided a hotfix for all supported XG firewall/SFOS versions. This hotfix should have already been applied to all affected devices with auto-update enabled. The hotfix addressed the SQL injection vulnerability and was intended to prevent further 0-day exploit and attacker access to the infrastructure via XG firewall. At the same time, the hotfix was intended to clean up any remnants of the attack.
Zoom And Sophos Utm
Note: If the 'Allow automatic installation of hotfixes' option is disabled, see KB 135415 for instructions on how to apply the required hotfix.
Is Sophos XG Firewall compromised?
In a Security Advisory, Sophos gives some advice on how administrators can detect if the XG firewall is compromised. The XG firewall hotfix applied by Sophos includes a message in the XG management interface, indicating whether or not a particular XG firewall was affected by this attack. If the hotfix is installed, an uncompromised Sophos XG firewall will display the message below.
Sophos Utm Slow Zoom
(Alert on XG-Firewall, Source: Sophos, Click to zoom)
If the hotfix was successfully installed and the firewall was compromised, the following message should appear in the Control center.
(Compromised Sophos XG-Firewall, Source: Sophos, Click to zoom)
Customers with compromised firewalls should respond and reboot their XG devices. In addition, the passwords of all local user accounts should be changed. Details can be found in this Sophos advisory.
Similar articles:
Stop: Don't install Sophos UTM 9.703 Firmware
Revised Firmware update Sophos UTM 9.703-3 released
Advertising
Sophos Web Protection provides enhanced protection against web threats. It includes the following features:
- Live URL filtering
- Scanning of downloaded content
- Checking of the reputation of downloaded files
Live URL filtering
Live URL filtering blocks access to websites that are known to host malware. This feature works by performing a real-time lookup against Sophos's online database of infected websites.
When access to a malicious website is blocked, the event is recorded in the scanning log. For information about viewing the scanning log, see View the scanning log.
Content scanning
Content scanning scans data and files downloaded from the internet (or intranet) and proactively detects malicious content. This feature scans content hosted at any location, including locations not listed in the database of infected websites.
Download reputation
Download reputation is calculated based on the file's age, source, prevalence, deep content analysis and other characteristics.
By default, an alert will be displayed when a file with low or unknown reputation is downloaded. We recommend that you do not download such files. If you trust the file's source and publisher, you can choose to download the file. Your action and the file's URL will be recorded in the scanning log.
For more information about download reputation, see knowledgebase article 121319.
Web protection configuration settings
By default, web protection is enabled: access to malicious websites is blocked, downloaded content is scanned and the reputation of downloaded files is checked.
For more information about the web protection settings and how to change them, see Configure Sophos Web Protection.
Supported web browsers
Web protection is supported on the following web browsers:
- Internet Explorer
- Edge
- Google Chrome
- Firefox (except for download reputation)
- Safari (except for download reputation)
- Opera
Web content accessed via an unsupported browser is not filtered and will not be blocked.
