How was the SQL injection done? We blocked off admin login

Both the admin and USER portals were vulnerable.  Either one would be able to be used to exfiltrate the LOCAL accounts (not AD/LDAP) including users and admins.

Maybe the bug "NC-58339" for devices on SFOS v17.5 MR10, MR11 and MR12 could be another vector of attack.

"Local ACL Exceptions" will not work if there is an Any-Any Drop Firewall rule configured.

We had the "Local ACL Exceptions" for User portal access only from one country. Because this exceptions was not working and portal was accessible to whole Internet.

community.sophos.com/.../sfos-17-5-mr12-local-service-acl-exception-rule-still-not-working

Maybe the bug "NC-58339" for devices on SFOS v17.5 MR10, MR11 and MR12 could be another vector of attack.

"Local ACL Exceptions" will not work if there is an Any-Any Drop Firewall rule configured.

We had the "Local ACL Exceptions" for User portal access only from one country. Because this exceptions was not working and portal was accessible to whole Internet.

community.sophos.com/.../sfos-17-5-mr12-local-service-acl-exception-rule-still-not-working

We still have NO explanation whatsoever how an attack could have been performed if both users and admin access were opted out on WAN (and everything except LAN)

This is now after weeks requesting it.

Paul Jr

Hi Paul,

just a final note, thanks to Pavol who pointed me to

• NC-59300 [Email] Blind pre-auth SQLi in spxd on port 8094

And yes I tested and proofed this (also on 17.5.12), TCP/8094 is open on the WAN interface! This could be another leak where the SQL-injection occurred.

Hello

You REALY tested it on WAN ???

I mean, you have no rule Firewall rule allowing such traffic on WAN, and all access via WAN are opted-out, and yet traffic can flow tru WAN via 8094 ?!?!?!

Are you kidding me ?!?!?!

Paul Jr

Hi Paul,

No I'm not kidding :) Just try it yourself, simple use one of the free online scanners to probe the TCP port 8094 on the WAN-IP of a Sophos XG, eg. https://ping.eu/port-chk/ or https://portchecker.co/ or others.

It seems that this service is per default always open for any network, no matter if you have the SPX Encryption for email configured or not. And as the release notes shows, this service was vulnerable for "Blind pre-auth SQLi" bevor 17.5 MR12.

You must actively change the "Allowed networks" in Email -> Encryption -> SPX portal settings! As a work around I've only allowed #Port1 do disable this service on the WAN.

For me it's now enough. We stopped selling this boxes already bevor two years, but now we will also replace the remaining ones (to another brand).

Hi Paul/Josef;

The fact is, SPX Portal is open by default. What other flowers are dormant in XG ?

Regards
Jan

Indeed.  Open.on one firewall.

Should I expect both MTA mode and legacy mode behave the same ?  I.e. port 8094 open ?

I have search Sophos web site regarding this, and the fact that port 8094 was always open have already been a major concern to many. 

Well.  The other work around is to install another firewall between WAN and XG.  I mean, one that does only what it is asked to do.  And do not what it is not asked.  And one that has real log viewer.

Paul Jr

The more I test, the more i'm puzzled.  One of our firewalls test open at one time and closed afterward.  It is not consistent.

Paul Jr

Hi,

The attack specifically targeted the underlying code of the admin and user portals. We have no evidence the attacker targeted the SPX encryption portal which is different underlying code than the other two. However, the KBA states that "firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or user portal were also affected". So if a customer exposed the SPX encryption portal on the admin or user portal, which is not the default, it becomes potentially susceptible.

Regards,

Hello Flo

Thanks for the answer.

But from what I have posted already, it is not my case.

All accesses to everything except VPN were opted out everywhere but LAN.  On all firewalls.

So the attack description Sophos provided is certainly inacurate.

So ???  What happened ?

Paul Jr

Hi Flo,

I've to disagree.

We have here three XG devices (2x XG85, 1x XG105) were we never configured or used the SPX encryption. The boxes not even had at any time a subscription for that. So it must be the default, that the SPX portal is exposed with TCP/8094 to "any" networks. Attached the screenshots for the SPX portal and Admin access menus of a box.

I do not say, the SPX service itself is usable, it is just fishy that a service (awarrensmtp) is listening on that port and that there was the fix mentioning SQLi on spxd (NC-59300) in the last firmware.