Thread Info
  • State Suggested Answer
  • +5 person also asked this people also asked this
  • Locked Locked
  • Replies 25 replies
  • Answers 2 answers
  • Subscribers 55 subscribers
  • Views 12604 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

KBA 135412 - What does Compromised mean in this fix

Antonvan Duin

What exactly does compromised mean regarding this hotfix. Does this mean that Sophos checked if Admin service and / or User Portal where allowed on the WAN port(s), or that Sophos found that the vulnerability was exploided on the XG Firewall?



This thread was automatically locked due to age.
  • 0

    Hi  

    At this time, there is no indication that the attack accessed anything on the local networks behind any impacted XG Firewall. It appears the attack was designed to download payloads intended to exfiltrate XG Firewall-resident data.

    The data for any specific firewall depends upon the specific configuration and may include usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access.

    Passwords associated with external authentication systems such as AD or LDAP are unaffected. We are continuing to investigate and expect to release more details of the attack.  Please follow https://community.sophos.com/kb/en-us/135412 for further updates.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to Keyur

    Hi Keyur,

     

    I understand that, but what makes the hotfix decide if a XF is compromised, or not-compromised (the message on the dashboard of the XG). Is this because the Admin Access and / or User Portal was allowed on the WAN interface(s) or did Sophos investigate on the XG appliance and found evidence that the vulnerability was exploided?

  • 0

    What about users stored at the firewall that are synced by STAS (AD) and/or user account being used to sync STAS? Are they also compromised?

  • 0 in reply to Antonvan Duin

    Hi  

    Thanks for reaching out to us! More information on this shall be made available on the following KBA: https://community.sophos.com/kb/en-us/135412. We really appreciate your patience and cooperation. 

    Thanks,
    Yashraj Singha
    Manager | Global Community Support
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to PRC_NJG

    Thanks for reaching out! Passwords associated with external authentication systems such as AD or LDAP are unaffected. We are continuing to investigate and expect to release more details of the attack. Please follow   https://community.sophos.com/kb/en-us/135412 for further updates.

    Thanks,
    Yashraj Singha
    Manager | Global Community Support
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0

    Hello,

    My answer is not an official answer but I think I can help you a bit. I have 46 XG Firewalls, and only 9 received the "Hotfix applied for SQL injection and partially cleaned" message. The 37 other firewalls received the "Hotfix applied for SQL injection . Your device was NOT compromised" message.

    100% of the 46 firewalls were not accessible from WAN on the Admin service, but only with User Portal. The 9 "compromised" were configured to use the 8443 https port for User Portal, and the 37 other firewalls another port.

     

    So 100% of my firewalls had User Portal accessible from WAN, but only 9 received the "partially cleaned" message from Sophos. So, in my opinion, Sophos analyzed the xg firewalls and found that the vulnerability was exploited.

     

    Regards.

    Viken

    XG Certified Architect

    Sophos Gold Partner - Reseller from Lyon, France

  • 0 in reply to Yashraj S

    Are OTP seeds also compromised? That would mean the OTP hardware token of our customers are worthless!

    And what about the "backup encryption password" and the Server authentication credentials for ldap query?

    Best regards

    Michael

  • 0 in reply to Keyur

    Does anybody know, how to get rid of the Message? I changed my PWs, rebooted Firewall and disabled UserPortal Access (Which ran on a non-standard port, but was compromised anyways), but the ErrorMessage remains.

  • 0 in reply to Christian Huber3

    Christian Huber3 said:

    Does anybody know, how to get rid of the Message? I changed my PWs, rebooted Firewall and disabled UserPortal Access (Which ran on a non-standard port, but was compromised anyways), but the ErrorMessage remains.

     

    The KB article below states that the message will not go away even after you restart. Don't know why but i guess thats what Sophos has decided

    https://community.sophos.com/kb/en-us/135412

  • 0

    The hotfix has a verification script (/content/dr/3/dr/drrun.sh) which looks for specific file / certificate artifacts and entries present in the Postgres database.

    • Files:
      • /tmp/x.sh
      • /scripts/vpn/ipsec/.generate_curl_ca_bundle.sh
      • /tmp/I
      • /tmp/.n.sh
      • /tmp/.pg.sh
      • /var/newdb/global/.post_MI
      • /scripts/._av_pre_script.sh
      • /tmp/.lp.sh
      • /tmp/b
      • /tmp/2own
      • /scripts/._av_pre_script
    • SQL:
      • psql -U nobody -d corporate -tAc "select * from  tbltelemetry where argument='post_MI'"
      • psql -U nobody -d corporate -tAc "select servicevalue from tblclientservices where servicekey='CCCAdminIP'"
      • psql -U nobody -d corporate -tAc "select servicevalue from tblclientservices where servicekey='ha_aux_traffic'"
    • Certificate:
      • grep -c sophosfirewallupdate /scripts/vpn/ipsec/generate_curl_ca_bundle.sh

    One hypothesis is that the attacked wanted to connect the FW to a remote management IP.

    As I applied the fix and only then realized this I cannot provide any insights into the actual values. But maybe someone else can.

Unfiltered HTML