How was the SQL injection done? We blocked off admin login

Both the admin and USER portals were vulnerable.  Either one would be able to be used to exfiltrate the LOCAL accounts (not AD/LDAP) including users and admins.

I want to know if the VPN connection pre-shared keys have also been copied? If so, then the security of Sophos Connect users has also been compromised...

Hi Michal,

I've investigated how IPsec secrets (PSK) are stored in the XG firewall and found out they are stored in plain text. For more details you can contact me via PM.

According to the Sophos report the hackers exfiltrated SQL-data for VPN users & policies, but they don't exactly describe what entries, so in my opinion all secrets on the firewall are compromised.

Holy Cow ...

Passwords stored in clear text ?!?!?!?  Really !?!?!?!

But ... They write this on their KB:

1. Reset device administrator accounts
   • See: https://community.sophos.com/kb/en-us/123732
   • Sophos is enforcing a password reset for the XG administrator and all other local administrator accounts that have not reset their password since 2200 UTC on April 25, 2020.
2. Reset passwords for all local user accounts
   • See: https://community.sophos.com/kb/en-us/135419
3. Although the passwords were hashed, it is recommended that passwords are reset for any accounts where the XG credentials might have been reused.

Paul Jr

Hi Paul,

yes passwords from local user accounts are hashed (with an algorithm I can't identify), but all preshared secrets (PSK) used in IPsec VPN-connections (also L2TP/IPsec) are stored plain text in a table on the internal sql-server (no hash, no encryption). I've checked this on the latest (stable) 17.5.11 firmware.

So I highly recommend to change at least also all IPsec secrets. In fact the hole system was compromised, so everything secret should be changed (passwords, PSKs, certificates, OTP-seeds, ...)

Utterly inexcusable security lapses. Somebody at the top of the team needs to be fired.

Anyone has more detail on that "New SQL injection - Asnarök" thing ?  Sophos' KB being totaly vague: https://news.sophos.com/en-us/2020/04/26/asnarok/

I'm interested to read on the initial access part of the "SQL Injection" stuff itself.  I could no find much usefull info on the CVE Sophos posted: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12271

How could they do this:

I still want to know how they could have conducted successfully the attack if our WAN access was closed to everything except VPN ???

Paul Jr

Anyone has more detail on that "New SQL injection - Asnarök" thing ?  Sophos' KB being totaly vague: https://news.sophos.com/en-us/2020/04/26/asnarok/

I'm interested to read on the initial access part of the "SQL Injection" stuff itself.  I could no find much usefull info on the CVE Sophos posted: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12271

How could they do this:

I still want to know how they could have conducted successfully the attack if our WAN access was closed to everything except VPN ???

Paul Jr

I don't think sophos will ever release the proof of concept. I have also been confused over the chmod part which indicates higher privileges but at this point just assume ALL YOUR DATA WAS COMPROMISED on the firewall. 

I would change ALL PASSWORDS that are locally stored

I would recreate ALL NEW VPN Tunnels with new keys. 

Basically everything other than your firewall rules needs to be redone. To be honest, and without a complete audit, its hard to know the severity of a particular compromise. Which parts are saved in the backup of such firewall? So restore from backups that were taken before the breach and then change everything that required a certificate or a password.

Open source software is pretty safe as most of the code is scrutinized and used all over the world. Only part sophos had to secure was the part that they wrote themselves which is the front-end gui. The saddest part of all this is that without comprehensive logging, we have no idea what the hackers were doing as we can't even tell what internal users are doing most of the time let alone people hammering your firewall from the outside.

V18 was supposed to be a new beginning and I actually started using XG again as my home firewall. Sadly that ended again with this. 

Regards

Hello

I changed all keys and passwords.

That said, the CVE Sophos posted here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12271, in the description, they write: This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone.

... but this is clearly not our case.  What's going on ?

Paul Jr

Is the lan affected on your home unit? Otherwise open a case. Also, how are you coming to the conclusion that your lan computers were accessing those sites? Something in the firewall/web logs?

I am still not clear on how you came to this conclusion that your internal devices were accessing the sites mentioned by Sophos. If you see some logs, please share if possible

regards

On my Home machine, Sophos indicated the machine was not compromised.  And on the list of 15 ro so WEB sites, at least two have been visited from my LAN.  I have not checked myself, but someone on this blog said they were GoDaddy WEB sites used by thousands of WEB sites hosted there.

On my business servers, a Sophos Engineer conducted a remote session.  Both servers tagged by Sophos as compromised.  I shown him our WAN access was not open to users or admin, or anyone else.  Again, over the past, some machines have also accessed some of those WEB listed by Sophos.  But the engineer seemed to be interested in only two in particular.

When the engineer checked, a site that was resolve to 127.0.0.1 wouls not resolve anymore.  Some mechanisms adde by Sophos was now blocking these.  On the Firewall home page, any attempt to acces some of these WEB sites listed would result in an alert indicating an attempt to visit a malicious WEB site.

Paul Jr