What’s up?
On April 22, Sophos received a report documenting a suspicious field value visible in the management interface of an XG Firewall, which turned out to be caused by an attacker using a new exploit to gain access to and execute malicious code on the firewalls themselves.
This is a new pre-auth SQL injection vulnerability (CVE-2020-12271) to gain access to designed to exfiltrate XG Firewall-resident data, including all local usernames and hashed passwords of any local user accounts, including local device admin accounts, user portal accounts, and accounts used for remote access. Passwords associated with external authentication systems such as Active Directory (AD) or LDAP are not directly at risk from this vulnerability.
The attack can be performed against both user-facing and administrator-facing exposed services on the firewall.
Sophos issued a hotfix, but not all of the roughly 12,500 XG firewalls Rapid7 Labs has initially inventoried on the internet are configured to automatically install patches. Sophos has published steps on how to manually install these fixes.
Part of the hotfix process includes a check for compromise. If an installation was compromised by an attacker, the Sophos console will report it this way:
Otherwise, the alert will just show the patch status and a note that the system is not compromised.
Organizations running Sophos XG firewalls are strongly encouraged to patch immediately and assess whether they have any downstream impacts from an initial compromise.
Exposure analysis of CVE-2020-12271
There are two primary outward facing service interfaces av ..
Support the originator by clicking the read the rest link below.
