Thread Info
Options
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

KBA 135412 Hashing Algorithm???

AlexRomp

The KBA says if you were attacked, the passwords were hashed.  Don't supposed anybody knows how they were hashed or if Sophos will share that data with us?  Were they salted?  MD5 (I hope not but I'd bet it is)?  Something better like SHA1?

 

I'm going to see if anybody has any PoC attacks written about this online where we can see the exfiltrated data.



This thread was automatically locked due to age.
  • 0

    I would also be interested in this.  I also have concerns about the saved credentials for the LDAP account stored for AD authentication. I'm assuming it was stored in the DB but how it's hashed is anyone's guess.  Some more transparency out of Sophos would be helpful.

    • 0

      The users are stored probably into a SQL-server on the firewall ("SQL injection vulnerabilty").

      When I log into the firewall with ssh, select the Advanced Shell (5. 3.) and change into /conf/db I see a PostgreSQL directory structure.

      Next step could be to dump all databases (pg_dump) and copy that offsite to analyse it for usernames and the password hashes, but its now to late (here in Vienna), good night!

      bye Josef

      BERGMANN engineering & consulting GmbH, Wien/Austria

      • FormerMember
        0 FormerMember

        Hi  

        We sincerely regret any inconvenience this has caused.

        We will soon release more details of the attack and its payloads. Please follow our https://community.sophos.com/kb/en-us/135412 for further updates.

      • 0

        Hi, we also investigated our Sophos XG Firewalls and found a Table "view_simpleusers" where usernames and passwords are saved. The passwords are only encrypted, not even hashed (why?). I want to know which exact algorithm was used to encrypt the passwords, as for example aes on ECB mode makes it possible for the attacker to get encryption key after guessing one (weak) password.