[Last Update - 5/22/2020 19:00 UTC]
Sections Updated:
- Do customers need to do anything after the hotfix is applied?

 

What happened?

Sophos received a report on April 22, 2020, at 20:29 UTC regarding an XG Firewall with a suspicious field value visible in the management interface. Sophos commenced an investigation and the incident was determined to be an attack against physical and virtual XG Firewall units. The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN, SPX Portal) to the WAN zone that shares the same port as the admin or user portal were also affected. For reference, the default configuration of XG Firewall is that all services operate on unique ports.

The attack used a previously unknown pre-auth SQL injection vulnerability to gain access to exposed XG devices. It was designed to exfiltrate XG Firewall-resident data. Customers with impacted firewalls should remediate to avoid the possibility that any data was compromised. The data exfiltrated for any impacted firewall includes all local usernames and hashed passwords of any local user accounts. For example, this includes local device admins, user portal accounts, and accounts used for remote access. Passwords associated with external authentication systems such as Active Directory (AD) or LDAP were not compromised.

 

The following sections are covered:

• How did Sophos respond?
• Was my XG Firewall compromised?
• How can I ensure that I receive the hotfix?
• Do customers need to do anything after the hotfix is applied?
• Are there any additional steps I should take to secure my environment?
• What firmware versions of XG Firewall (SFOS) were impacted?
• Timeline of attack
• More information

 

How did Sophos respond?

Sophos immediately began an investigation that included retrieving and analyzing the artifacts associated with the attack. After determining the components and impact of the attack, Sophos deployed a hotfix to all supported XG Firewall/SFOS versions. This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack.

After analyzing the components and intent of the attack, Sophos published a SophosLabs Uncut article, “Asnarok” Trojan targets firewalls, to share its current understanding of the malware.

 

Was my XG Firewall compromised?

The XG Firewall hotfix that Sophos deployed includes a message on the XG management interface to indicate whether or not a given XG Firewall was affected by this attack.

Scenario 1 (Uncompromised):
Hotfix applied to an uncompromised firewall

 

Scenario 2 (Compromised):
Hotfix applied and successfully remediated a compromised firewall

 

How can I ensure that I receive the hotfix?

If you have disabled “Allow automatic installation of hotfixes”, please reference the following KBA for instructions on how to apply the required hotfix: https://community.sophos.com/kb/en-us/135415

Note: Customers managing XG Firewalls with either Sophos Firewall Manager (SFM) or Central Firewall Manager (CFM) need to verify each firewall has an active connection with firewall management to receive critical updates. These steps are not required for Sophos Central managed devices.

• SFM: https://community.sophos.com/kb/en-us/135429
• CFM: https://community.sophos.com/kb/en-us/135447
  

 

Do customers need to do anything after the hotfix is applied?

For uncompromised XG Firewall devices, no additional steps are required.

For compromised XG Firewall devices that have received the hotfix, we strongly recommend the following additional steps to fully remediate the issue:

1. Reset device administrator accounts
   • See: https://community.sophos.com/kb/en-us/123732
   • Sophos is enforcing a password reset for the XG administrator and all other local administrator accounts that have not reset their password since 2200 UTC on April 25, 2020. The password reset is shown only on an XG Firewall that was identified as impacted AND the password has not been changed since 2200 UTC on April 25, 2020. Admins will still receive the password reset request even if multi-factor authentication is enabled. The last date/time check for the password change is determined locally on the firewall from logged events. In the event a positive determination cannot be made, admins will be forced to change their password.
2. Reset passwords for all local user accounts
   • See:
     • How to identify Local, AD, and Guest users
       • https://community.sophos.com/kb/en-us/135419
     • Local user password reset
       • https://community.sophos.com/kb/en-us/135493
     • How to change the password for local users from the User Portal
       • https://community.sophos.com/kb/en-us/135495
3.  Although the passwords were hashed, it is recommended that passwords are reset for any accounts where the XG credentials might have been reused.

 

Notes:

As an additional security measure, a Captcha has been added to the XG Firewall admin and user portals on the WAN and VPN zones. It is enabled for all devices running v17.x and v18.x, except for XG85/XG85w devices. Any Cyberoam device that has upgraded to the XG Firewall firmware will not see the newly implemented Captcha.

For select configurations, Hotfix HF051220.1 adds CLI commands to manually disable the Captcha for VPN zones and the mandatory password reset prompt. See: https://community.sophos.com/products/xg-firewall/b/blog/posts/xg-firewall-hotfix-hf051220-1-released

The hotfix alert message does not disappear once the hotfix is applied. The full alert will remain visible in the XG management interface, even after the hotfix has been successfully applied and even after any additional remediation steps have been completed.

While customers should always conduct their own internal investigation, at this point Sophos is not aware of any subsequent remote access attempts to impacted XG devices using the stolen credentials.

As a general best security practice to reduce attack surface wherever possible, Sophos recommends disabling HTTPS admin services on the WAN interface. If the User Portal is not being used, Sophos also recommends deactivating this service on the WAN as well. See: https://community.sophos.com/kb/en-us/135414

For recommended remote administration options, please consider the following:

• Administering your firewall via Sophos Central (recommended)
• Administering your firewall via Remote Access VPN

 

Are there any additional steps I should take to secure my environment?

The following steps are recommended to further secure your environment:

• Do not expose any service on the WAN interface, unless necessary
• Ensure that you have enabled the automatic installation of hotfixes.
  • See https://community.sophos.com/kb/en-us/135415
• Enable Multi-Factor Authentication or One Time Password (OTP) where possible:
  • One Time Password:
    • https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/concepts/OTPTokenManage.html
  • Multi-Factor Authentication:
    • https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContents/ConfiguringTwoFactorAuthentication.html

 

What firmware versions of XG Firewall (SFOS) were impacted?

The vulnerability affected all versions of XG Firewall firmware on both physical and virtual firewalls. All supported versions of the XG Firewall firmware / SFOS received the hotfix (SFOS 17.0, 17.1, 17.5, 18.0). The hotfix was also made available to unsupported SFOS v16 and v16.5 devices.

Note: Sophos strongly advises customers using older versions of SFOS to protect themselves by upgrading to a supported version immediately.

 

Timeline of attack

All times UTC

Day and Time	Description
2020-04-22 16:00	Attack begins
2020-04-22 20:29	Sophos receives report of a suspicious field value in an XG Firewall management interface
2020-04-22 22:03	Incident escalated to Sophos internal cybersecurity team
2020-04-22 22:20	Initial forensics started
2020-04-22 22:44	SophosLabs blocks suspect domains found in initial forensics
2020-04-23 06:30	Sophos researchers identify indicators of attack
2020-04-23 07:52	Analysis indicates attack affecting multiple customers - major incident process initiated
2020-04-23 15:47	Sophos notifies Community of initial mitigations
2020-04-23 19:39	Initial attack vector identified as SQL injection attack
2020-04-23 21:40	SophosLabs identifies and blocks additional domains
2020-04-24 03:00	Telemetry update issued to all XG Firewalls
2020-04-24 04:20	Sophos notifies Community of additional mitigations
2020-04-24 05:00	Sophos begins design, development, and testing of hotfix to mitigate SQL injection
2020-04-25 07:00	Sophos began pushing hotfixes to supported XG Firewalls
2020-04-25 22:00	Sophos confirms completion of hotfix rollout to XG Firewall units with auto-update (default) enabled.

 

More information

This vulnerability is listed as CVE 2020-12271 in the National Vulnerability Database.

We recommend you continue to monitor this KBA to stay apprised of any additional information related to this attack that we may uncover through ongoing investigations.