[Last Update - 5/22/2020 19:00 UTC] Sections Updated: - Do customers need to do anything after the hotfix is applied?
Sophos received a report on April 22, 2020, at 20:29 UTC regarding an XG Firewall with a suspicious field value visible in the management interface. Sophos commenced an investigation and the incident was determined to be an attack against physical and virtual XG Firewall units. The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN, SPX Portal) to the WAN zone that shares the same port as the admin or user portal were also affected. For reference, the default configuration of XG Firewall is that all services operate on unique ports.
The attack used a previously unknown pre-auth SQL injection vulnerability to gain access to exposed XG devices. It was designed to exfiltrate XG Firewall-resident data. Customers with impacted firewalls should remediate to avoid the possibility that any data was compromised. The data exfiltrated for any impacted firewall includes all local usernames and hashed passwords of any local user accounts. For example, this includes local device admins, user portal accounts, and accounts used for remote access. Passwords associated with external authentication systems such as Active Directory (AD) or LDAP were not compromised.
The following sections are covered:
Sophos immediately began an investigation that included retrieving and analyzing the artifacts associated with the attack. After determining the components and impact of the attack, Sophos deployed a hotfix to all supported XG Firewall/SFOS versions. This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack.
After analyzing the components and intent of the attack, Sophos published a SophosLabs Uncut article, “Asnarok” Trojan targets firewalls, to share its current understanding of the malware.
The XG Firewall hotfix that Sophos deployed includes a message on the XG management interface to indicate whether or not a given XG Firewall was affected by this attack.
Scenario 1 (Uncompromised): Hotfix applied to an uncompromised firewall
Scenario 2 (Compromised): Hotfix applied and successfully remediated a compromised firewall
If you have disabled “Allow automatic installation of hotfixes”, please reference the following KBA for instructions on how to apply the required hotfix: https://community.sophos.com/kb/en-us/135415
Note: Customers managing XG Firewalls with either Sophos Firewall Manager (SFM) or Central Firewall Manager (CFM) need to verify each firewall has an active connection with firewall management to receive critical updates. These steps are not required for Sophos Central managed devices.
For uncompromised XG Firewall devices, no additional steps are required.
For compromised XG Firewall devices that have received the hotfix, we strongly recommend the following additional steps to fully remediate the issue:
As an additional security measure, a Captcha has been added to the XG Firewall admin and user portals on the WAN and VPN zones. It is enabled for all devices running v17.x and v18.x, except for XG85/XG85w devices. Any Cyberoam device that has upgraded to the XG Firewall firmware will not see the newly implemented Captcha.
For select configurations, Hotfix HF051220.1 adds CLI commands to manually disable the Captcha for VPN zones and the mandatory password reset prompt. See: https://community.sophos.com/products/xg-firewall/b/blog/posts/xg-firewall-hotfix-hf051220-1-released
The hotfix alert message does not disappear once the hotfix is applied. The full alert will remain visible in the XG management interface, even after the hotfix has been successfully applied and even after any additional remediation steps have been completed.
While customers should always conduct their own internal investigation, at this point Sophos is not aware of any subsequent remote access attempts to impacted XG devices using the stolen credentials.
As a general best security practice to reduce attack surface wherever possible, Sophos recommends disabling HTTPS admin services on the WAN interface. If the User Portal is not being used, Sophos also recommends deactivating this service on the WAN as well. See: https://community.sophos.com/kb/en-us/135414
For recommended remote administration options, please consider the following:
The following steps are recommended to further secure your environment:
The vulnerability affected all versions of XG Firewall firmware on both physical and virtual firewalls. All supported versions of the XG Firewall firmware / SFOS received the hotfix (SFOS 17.0, 17.1, 17.5, 18.0). The hotfix was also made available to unsupported SFOS v16 and v16.5 devices.
Note: Sophos strongly advises customers using older versions of SFOS to protect themselves by upgrading to a supported version immediately.
All times UTC
This vulnerability is listed as CVE 2020-12271 in the National Vulnerability Database.
We recommend you continue to monitor this KBA to stay apprised of any additional information related to this attack that we may uncover through ongoing investigations.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.