Home / Networking / Hackers are exploiting a Sophos firewall zero-day

Hackers are exploiting a Sophos firewall zero-day


Sophos

Cyber-security firm Sophos has published an emergency security update on Saturday to patch a zero-day vulnerability in its XG enterprise firewall product that was being abused in the wild by hackers.

Sophos said it first learned of the zero-day on late Wednesday, April 22, after it received a report from one of its customers. The customer reported seeing “a suspicious field value visible in the management interface.”

After investigating the report, Sophos determined this was an active attack and not an error in its product.

Hackers abused an SQL injection bug to steal passwords

“The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices,” Sophos said in a security advisory today.

Hackers targeted Sophos XG Firewall devices that had their administration (HTTPS service) or the User Portal control panel exposed on the internet.

Sophos said the hackers used the SQL injection vulnerability to download a payload on the device. This payload then stole files from the XG Firewall.

Stolen data could include usernames and hashed passwords for the firewall device admin, for the firewall portal admins, and user accounts used for remote access to the device.

Sophos said that passwords for customers’ other external authentication systems, such as AD or LDAP, were unaffected.

Advertisements

The company said that during its investigation, it did not find any evidence that hackers used the stolen passwords to access XG Firewall devices, or anything beyond the firewall, on its customers’ internal networks.

Patch already pushed to customer devices

The UK company, famed for its antivirus product, said it prepared and already pushed an automatic update to patch all XG Firewalls that have the auto-update feature enabled.

“This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack,” it said.

The security update will also add a special box in the XG Firewall control panel to let device owners know if their device has been compromised.

sophos-xg-alert.png

Image: Sophos

For companies that had devices hacked, Sophos is recommending a series of steps, which include password resets and device reboots:

  1. Reset portal administrator and device administrator accounts
  2. Reboot the XG device(s)
  3. Reset passwords for all local user accounts
  4. Although the passwords were hashed, it is recommended that passwords are reset for any accounts where the XG credentials might have been reused

Sophos also recommends that companies disable the firewall’s administration interfaces on the internet-facing ports if they don’t need the feature. Instructions to disable the control panel on the WAN interface are available here.



Source link

Advertisements

About admin

I'm a 50 year old PLC programmer from Burnley, UK. I severed my time as an electrician in the baking industry and soon got involved with the up and coming technology of PLC's. Initially this was all based in the Uk but as the years went by I have gradually worked my way around the globe. At first it was mainly Mitsubishi with a bit of Modicon thrown in but these days the industry leaders seem to be the Allen Bradley range of PLC and HMI’s.

Check Also

Fibre to the basement left out of NBN plan to update fibre to the node

Advertisements Two charismatic gentlemen: Minister Paul Fletcher and NBN CEO Stephen Rue Image: Chris Duckett/ZDNet ...

Leave a Reply

Your email address will not be published. Required fields are marked *

Advertisements