What exactly does compromised mean regarding this hotfix. Does this mean that Sophos checked if Admin service and / or User Portal where allowed on the WAN port(s), or that Sophos found that the vulnerability was exploided on the XG Firewall?
Hi Antonvan Duin
At this time, there is no indication that the attack accessed anything on the local networks behind any impacted XG Firewall. It appears the attack was designed to download payloads intended to exfiltrate XG Firewall-resident data.
The data for any specific firewall depends upon the specific configuration and may include usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access.
Passwords associated with external authentication systems such as AD or LDAP are unaffected. We are continuing to investigate and expect to release more details of the attack. Please follow https://community.sophos.com/kb/en-us/135412 for further updates.
KeyurCommunity Support Engineer | Sophos Support Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts | If a post solves your question use the 'This helped me' link
I understand that, but what makes the hotfix decide if a XF is compromised, or not-compromised (the message on the dashboard of the XG). Is this because the Admin Access and / or User Portal was allowed on the WAN interface(s) or did Sophos investigate on the XG appliance and found evidence that the vulnerability was exploided?
Thanks for reaching out to us! More information on this shall be made available on the following KBA: https://community.sophos.com/kb/en-us/135412. We really appreciate your patience and cooperation.
Community Team Lead, Support & Services| Sophos Technical Support Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts If a post solves your question use the 'Verify Answer' button.