Sophos Central Firewall Manager (CFM) maintenance scheduled for Wednesday, July 8th starting at 06:30 GMT. Expected time to complete is 5 hours. Partners will be unable to access CFM during this period.

KBA 135412 - What does Compromised mean in this fix

What exactly does compromised mean regarding this hotfix. Does this mean that Sophos checked if Admin service and / or User Portal where allowed on the WAN port(s), or that Sophos found that the vulnerability was exploided on the XG Firewall?

  • Hi  

    At this time, there is no indication that the attack accessed anything on the local networks behind any impacted XG Firewall. It appears the attack was designed to download payloads intended to exfiltrate XG Firewall-resident data.

    The data for any specific firewall depends upon the specific configuration and may include usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access.

    Passwords associated with external authentication systems such as AD or LDAP are unaffected. We are continuing to investigate and expect to release more details of the attack.  Please follow https://community.sophos.com/kb/en-us/135412 for further updates.

  • In reply to Keyur:

    Hi Keyur,

     

    I understand that, but what makes the hotfix decide if a XF is compromised, or not-compromised (the message on the dashboard of the XG). Is this because the Admin Access and / or User Portal was allowed on the WAN interface(s) or did Sophos investigate on the XG appliance and found evidence that the vulnerability was exploided?

  • What about users stored at the firewall that are synced by STAS (AD) and/or user account being used to sync STAS? Are they also compromised?

  • In reply to Antonvan Duin:

    Hi  

    Thanks for reaching out to us! More information on this shall be made available on the following KBA: https://community.sophos.com/kb/en-us/135412. We really appreciate your patience and cooperation. 

  • In reply to PRC_NJG:

    Thanks for reaching out! Passwords associated with external authentication systems such as AD or LDAP are unaffected. We are continuing to investigate and expect to release more details of the attack. Please follow   https://community.sophos.com/kb/en-us/135412 for further updates.

  • Hello,

    My answer is not an official answer but I think I can help you a bit. I have 46 XG Firewalls, and only 9 received the "Hotfix applied for SQL injection and partially cleaned" message. The 37 other firewalls received the "Hotfix applied for SQL injection . Your device was NOT compromised" message.

    100% of the 46 firewalls were not accessible from WAN on the Admin service, but only with User Portal. The 9 "compromised" were configured to use the 8443 https port for User Portal, and the 37 other firewalls another port.

     

    So 100% of my firewalls had User Portal accessible from WAN, but only 9 received the "partially cleaned" message from Sophos. So, in my opinion, Sophos analyzed the xg firewalls and found that the vulnerability was exploited.

     

    Regards.

  • In reply to Yashraj:

    Are OTP seeds also compromised? That would mean the OTP hardware token of our customers are worthless!

    And what about the "backup encryption password" and the Server authentication credentials for ldap query?

    Best regards

    Michael

  • In reply to Keyur:

    Does anybody know, how to get rid of the Message? I changed my PWs, rebooted Firewall and disabled UserPortal Access (Which ran on a non-standard port, but was compromised anyways), but the ErrorMessage remains.

  • In reply to Christian Huber3:

    Christian Huber3

    Does anybody know, how to get rid of the Message? I changed my PWs, rebooted Firewall and disabled UserPortal Access (Which ran on a non-standard port, but was compromised anyways), but the ErrorMessage remains.

     

    The KB article below states that the message will not go away even after you restart. Don't know why but i guess thats what Sophos has decided

    https://community.sophos.com/kb/en-us/135412

  • The hotfix has a verification script (/content/dr/3/dr/drrun.sh) which looks for specific file / certificate artifacts and entries present in the Postgres database.

    • Files:
      • /tmp/x.sh
      • /scripts/vpn/ipsec/.generate_curl_ca_bundle.sh
      • /tmp/I
      • /tmp/.n.sh
      • /tmp/.pg.sh
      • /var/newdb/global/.post_MI
      • /scripts/._av_pre_script.sh
      • /tmp/.lp.sh
      • /tmp/b
      • /tmp/2own
      • /scripts/._av_pre_script
    • SQL:
      • psql -U nobody -d corporate -tAc "select * from  tbltelemetry where argument='post_MI'"
      • psql -U nobody -d corporate -tAc "select servicevalue from tblclientservices where servicekey='CCCAdminIP'"
      • psql -U nobody -d corporate -tAc "select servicevalue from tblclientservices where servicekey='ha_aux_traffic'"
    • Certificate:
      • grep -c sophosfirewallupdate /scripts/vpn/ipsec/generate_curl_ca_bundle.sh

    One hypothesis is that the attacked wanted to connect the FW to a remote management IP.

    As I applied the fix and only then realized this I cannot provide any insights into the actual values. But maybe someone else can.

  • Hello, may I ask you, it is recommended in KBA 135412 to "Reset portal administrator and device administrator accounts" - but what is PORTAL ADMINISTRATOR and where to reset this account?

     

    Regards

  • In reply to Alexander Sennhauser:

    Thanks for that Information. I was checking drrun.sh. So from my point of view, we could remove the Database Entry in tblalertconfig manually, if we do not want to have that alert showed up in the GUI any longer.

     

    By the way: This hotfix-script looks very basic. It doesn't proof whether there is any ongoing Communication between my XG and the Command and Control Servers.

    So I wouldn't be really sure, whether we could trust this Hotfix for 100  Percent.

     

    Furthermore, it would be interesting to know, whether this Hotfix will keep in place after an Upgrade of Sohpos XG. Maybe anyone can help with that?

  • In reply to Christian Huber3:

    Hi Christian,

    This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack.

    This hotfix will persist across all supported SFOS versions.

    We will soon release more details of the attack and its payloads. Please follow our https://community.sophos.com/kb/en-us/135412 for further updates.

    Regards,

  • In reply to Alexander Sennhauser:

    Thanks for this, gave me somewhere to start to look...One of the XG firewalls I manage is a virtual appliance and is backed up, so I could view the files that have been removed.

    If someone from Sophos is viewing, can we have clarification of two points:

    1 - Is the backup file encryption password hash included in the compromise?

    2 - Were local users SSL VPN certificates/configs compromised in this attack?

    The second point is important, if they are then we need to plan re-installing end users VPN clients with new certs.

  • In reply to FloSupport:

    After analyzing the components and intent of the attack, Sophos published a SophosLabs Uncut article, “Asnarok” Trojan targets firewalls, to share its current understanding of the malware.