Fixing SQL injection vulnerability and malicious code execution in XG Firewall/SFOS

Note: The attack for this vulnerability was possible ONLY if the affected systems were configured with *either* the administration (HTTPS service) or the User Portal exposed on the WAN zone.

KBA Rapida 105 11 KBA Rapida 164 11 t (h) 120 110 100 90 80 70 60 50 40 30 20 10 0 CleanTronic CleanTronic is a multi-purpose washing system for rollers, blankets and impression cylinders. The blankets and impression cylinders are washed sequentially with a swing-action washing beam. Washing programs can be defined and selected. 24 votes, 41 comments. 3.4k members in the sophos community. For all things Sophos related. Announcements, discussions, feedback, questions, and more! KBA-1510FP Data Sheet Concrete Coverage Chemical Resistance MSDS Request Properties Specifications Testing Temperature Product Listing Data Sheets Product Selection Product Submittals MC-2010MN MC-2005T KBA-1510FP KM-3030M P-201 A-30 KM String Ultra C Ring. You’ll receive a case number when you submit your ticket. Once you have this number, call us for immediate assistance. Select your region below to view the correct number to call. KBA-1510FP and the concrete surface. Press KBA-1510FP into the P-201 while it is still in the paste state. Use a wet tool or gloved finger to remove any excess P-201 (see details). Allow sufficient curing time to adhere KBA- 1510FP before placing concrete (time varies by temperature - approximately 4 hours at 68 -70 degrees F.).

We recommend VPNs are used to access the unit for users and either VPNs or Sophos Central for administrative management. See: KB Article https://community.sophos.com/kb/en-us/135414

The Attack Details

The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices. It was designed to download payloads intended to exfiltrate XG Firewall-resident data. The data for any specific firewall depends upon the specific configuration and may include usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access. Passwords associated with external authentication systems such as AD or LDAP are unaffected. At this time, there is no indication that the attack accessed anything on the local networks behind any impacted XG Firewall.

There are two scenarios here:

Scenario 1 (Uncompromised)

A hotfix was automatically applied to the firewall from Sophos

Note!: If you have disabled “Allow automatic installation of hotfixes”, please reference the following KBA for instructions on how to apply the required hotfix: https://community.sophos.com/kb/en-us/135415

Actions Required for Scenario 1 (Uncompromised) – if Hotfix was applied, no further action (other than upgrading to the latest firmware which is always recommend)

Scenario 2 (Compromised)

Hotfix applied and successfully remediated a compromised firewall
Note: If you have disabled “Allow automatic installation of hotfixes”, please reference the following KBA for instructions on how to apply the required hotfix: https://community.sophos.com/kb/en-us/135415

Actions Required for Scenario 2 (Compromised) For compromised XG Firewall devices that have received the hotfix, we strongly recommend the following additional steps to fully remediate the issue:

• • • • Reset portal administrator and device administrator accounts
      • Reboot the XG device(s)
      • Reset passwords for all local user accounts
      • Although the passwords were hashed, it is recommended that passwords are reset for any accounts where the XG credentials might have been reused

Note: While customers should always conduct their own internal investigation, at this point Sophos is not aware of any subsequent remote access attempts to impacted XG devices using the stolen credentials.

Kba 135412

What firmware versions of XG Firewall (SFOS) were impacted?
The vulnerability affected all versions of XG Firewall firmware on both physical and virtual firewalls. All supported versions of the XG Firewall firmware / SFOS received the hotfix (SFOS 17.1, 17.5, 18.0). Customers using older versions of SFOS can protect themselves by upgrading to a supported version immediately.

Sophos Kba 135412

Full Sophos KB 135412 is HERE