This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

KBA 135412 - What does Compromised mean in this fix

What exactly does compromised mean regarding this hotfix. Does this mean that Sophos checked if Admin service and / or User Portal where allowed on the WAN port(s), or that Sophos found that the vulnerability was exploided on the XG Firewall?



This thread was automatically locked due to age.
Parents
  • The hotfix has a verification script (/content/dr/3/dr/drrun.sh) which looks for specific file / certificate artifacts and entries present in the Postgres database.

    • Files:
      • /tmp/x.sh
      • /scripts/vpn/ipsec/.generate_curl_ca_bundle.sh
      • /tmp/I
      • /tmp/.n.sh
      • /tmp/.pg.sh
      • /var/newdb/global/.post_MI
      • /scripts/._av_pre_script.sh
      • /tmp/.lp.sh
      • /tmp/b
      • /tmp/2own
      • /scripts/._av_pre_script
    • SQL:
      • psql -U nobody -d corporate -tAc "select * from  tbltelemetry where argument='post_MI'"
      • psql -U nobody -d corporate -tAc "select servicevalue from tblclientservices where servicekey='CCCAdminIP'"
      • psql -U nobody -d corporate -tAc "select servicevalue from tblclientservices where servicekey='ha_aux_traffic'"
    • Certificate:
      • grep -c sophosfirewallupdate /scripts/vpn/ipsec/generate_curl_ca_bundle.sh

    One hypothesis is that the attacked wanted to connect the FW to a remote management IP.

    As I applied the fix and only then realized this I cannot provide any insights into the actual values. But maybe someone else can.

  • Thanks for that Information. I was checking drrun.sh. So from my point of view, we could remove the Database Entry in tblalertconfig manually, if we do not want to have that alert showed up in the GUI any longer.

     

    By the way: This hotfix-script looks very basic. It doesn't proof whether there is any ongoing Communication between my XG and the Command and Control Servers.

    So I wouldn't be really sure, whether we could trust this Hotfix for 100  Percent.

     

    Furthermore, it would be interesting to know, whether this Hotfix will keep in place after an Upgrade of Sohpos XG. Maybe anyone can help with that?

  • Hi Christian,

    This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack.

    This hotfix will persist across all supported SFOS versions.

    We will soon release more details of the attack and its payloads. Please follow our https://community.sophos.com/kb/en-us/135412 for further updates.

    Regards,


    Florentino
    Director, Global Community & Digital Support

    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
Reply Children