This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How was the SQL injection done? We blocked off admin login

We have the admin login only allowing logins from our HQ (IP limited). Yet, they have all been compromised?



This thread was automatically locked due to age.
Parents
  • Both the admin and USER portals were vulnerable.  Either one would be able to be used to exfiltrate the LOCAL accounts (not AD/LDAP) including users and admins.

  • I want to know if the VPN connection pre-shared keys have also been copied? If so, then the security of Sophos Connect users has also been compromised...

  • Hi Michal,

    I've investigated how IPsec secrets (PSK) are stored in the XG firewall and found out they are stored in plain text. For more details you can contact me via PM.

    According to the Sophos report the hackers exfiltrated SQL-data for VPN users & policies, but they don't exactly describe what entries, so in my opinion all secrets on the firewall are compromised.

     

    bye Josef

    Firewall consultant since 1995
    Astaro consultant since 2001
    Sophos partner since 2012
    BERGMANN engineering & consulting GmbH, Wien/Austria

  • Holy Cow ...

    Passwords stored in clear text ?!?!?!?  Really !?!?!?!

    But ... They write this on their KB:

    1. Reset device administrator accounts
      • See: https://community.sophos.com/kb/en-us/123732
      • Sophos is enforcing a password reset for the XG administrator and all other local administrator accounts that have not reset their password since 2200 UTC on April 25, 2020.
    2. Reset passwords for all local user accounts
    3. Although the passwords were hashed, it is recommended that passwords are reset for any accounts where the XG credentials might have been reused.

    Paul Jr

  • Hi Paul,

    yes passwords from local user accounts are hashed (with an algorithm I can't identify), but all preshared secrets (PSK) used in IPsec VPN-connections (also L2TP/IPsec) are stored plain text in a table on the internal sql-server (no hash, no encryption). I've checked this on the latest (stable) 17.5.11 firmware.

    So I highly recommend to change at least also all IPsec secrets. In fact the hole system was compromised, so everything secret should be changed (passwords, PSKs, certificates, OTP-seeds, ...)

    bye Josef

    Firewall consultant since 1995
    Astaro consultant since 2001
    Sophos partner since 2012
    BERGMANN engineering & consulting GmbH, Wien/Austria

  • Utterly inexcusable security lapses. Somebody at the top of the team needs to be fired.

Reply Children
No Data