This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How was the SQL injection done? We blocked off admin login

We have the admin login only allowing logins from our HQ (IP limited). Yet, they have all been compromised?



This thread was automatically locked due to age.
Parents
  • Both the admin and USER portals were vulnerable.  Either one would be able to be used to exfiltrate the LOCAL accounts (not AD/LDAP) including users and admins.

  • Maybe the bug "NC-58339" for devices on SFOS v17.5 MR10, MR11 and MR12 could be another vector of attack.

    "Local ACL Exceptions" will not work if there is an Any-Any Drop Firewall rule configured.

    We had the "Local ACL Exceptions" for User portal access only from one country. Because this exceptions was not working and portal was accessible to whole Internet.

    community.sophos.com/.../sfos-17-5-mr12-local-service-acl-exception-rule-still-not-working

  • Hi Paul/Josef;

    The fact is, SPX Portal is open by default. What other flowers are dormant in XG ?

    Regards
    Jan

  • Indeed.  Open.on one firewall.

    Should I expect both MTA mode and legacy mode behave the same ?  I.e. port 8094 open ?

    I have search Sophos web site regarding this, and the fact that port 8094 was always open have already been a major concern to many. 

    Well.  The other work around is to install another firewall between WAN and XG.  I mean, one that does only what it is asked to do.  And do not what it is not asked.  And one that has real log viewer.

    Paul Jr

  • The more I test, the more i'm puzzled.  One of our firewalls test open at one time and closed afterward.  It is not consistent.

    Paul Jr

  • Hi,

    The attack specifically targeted the underlying code of the admin and user portals. We have no evidence the attacker targeted the SPX encryption portal which is different underlying code than the other two. However, the KBA states that "firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or user portal were also affected". So if a customer exposed the SPX encryption portal on the admin or user portal, which is not the default, it becomes potentially susceptible.

    Regards,


    Florentino Sanchez
    Community Manager, Support & Services

    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
  • Hello Flo

    Thanks for the answer.

    But from what I have posted already, it is not my case.

    All accesses to everything except VPN were opted out everywhere but LAN.  On all firewalls.

    So the attack description Sophos provided is certainly inacurate.

    So ???  What happened ?

    Paul Jr

     

  • Hi Flo,

    I've to disagree.

    We have here three XG devices (2x XG85, 1x XG105) were we never configured or used the SPX encryption. The boxes not even had at any time a subscription for that. So it must be the default, that the SPX portal is exposed with TCP/8094 to "any" networks. Attached the screenshots for the SPX portal and Admin access menus of a box.

    I do not say, the SPX service itself is usable, it is just fishy that a service (awarrensmtp) is listening on that port and that there was the fix mentioning SQLi on spxd (NC-59300) in the last firmware.

    bye Josef

    Firewall consultant since 1995
    Astaro consultant since 2001
    Sophos partner since 2012
    BERGMANN engineering & consulting GmbH, Wien/Austria

  • Hi Paul,

    yes I found the internal server error on the XG85 webadmin because of this. In my opinion it is a absolut nogo to install such changes in a firewall without any prior information.

    bye Josef

    Firewall consultant since 1995
    Astaro consultant since 2001
    Sophos partner since 2012
    BERGMANN engineering & consulting GmbH, Wien/Austria

  • Same here, my home xg (Fullguard Plus license), never used mail system, port is opened because of (ANY), changed to PORT E0 to close. :-(

     

    NOT GOOD

     

    Running SFOS 18.0.0 GA-Build379.HF051220.1

    ----

    Best regards Martin ;-)

    Sophos UTM Certified Engineer 9.5
    Sophos  XG  Certified Engineer 17.1
    Homelab: 1 x SG210 XG v18 - 3xAPX530 - 1 x SG210 v9.7 - 1 x UTM 220 v9.7 - 1 x SG135 v9.7 (All Fullguard Plus licenses)

  • Hello twister5800,

    the same situation in my case.

    Isn't it a best practice firewall policy, in the recommended settings everything is forbidden and the necessary functions are activated by the administrator as needed?

    But it seems that in the case of XG Firewall, on the contrary, everything is allowed and attackers can enter without restriction?!?

    Sarcasm....

    Regards

    alda

Reply
  • Hello twister5800,

    the same situation in my case.

    Isn't it a best practice firewall policy, in the recommended settings everything is forbidden and the necessary functions are activated by the administrator as needed?

    But it seems that in the case of XG Firewall, on the contrary, everything is allowed and attackers can enter without restriction?!?

    Sarcasm....

    Regards

    alda

Children
  • Hi Alda,

    alda said:

    Isn't it a best practice firewall policy, in the recommended settings everything is forbidden and the necessary functions are activated by the administrator as needed?

    Sarcasm....

    YES - completely agree, I would never buy a big house, not knowing which doors where setup, with no locks :-(

    Now it's like, when you get a new XG device, there is an important note in the box with this link:

    https://nmap.org/book/port-scanning-tutorial.html

    #sarcasm 

    Frustrated and disappointed right now, we stopped selling new fw with UTM and then XG, now customers come to hunt us down. It's been ad very bad year for Sophos with network devices, first broken RED's, CVE's and a multi-bug firewall's...management have forced me to look others ways like Fortinet. A FW need s to be reliable!

    ----

    Best regards Martin ;-)

    Sophos UTM Certified Engineer 9.5
    Sophos  XG  Certified Engineer 17.1
    Homelab: 1 x SG210 XG v18 - 3xAPX530 - 1 x SG210 v9.7 - 1 x UTM 220 v9.7 - 1 x SG135 v9.7 (All Fullguard Plus licenses)