I have 5 firewalls, all of them are on 17.5.0 GA and none of them shows whether the hotfix was applied and whether they were compromised. What is the hotfix version they should be on?

Rebooted two of them, updated firmware, waited 30 minutes. Nothing.

Mine finally automatically installed the hotfix update and said compromised. So, I've changed all local passwords and rebooted. Have also disabled the sslvpn just in case over the weekend until we get more updates from Sophos.

I did much the same but we use L2TP with AD credentials along with Sophos Connect with AD credentials.

It would be nice to see what they actually did / saw / transferred out of / in to my XG Firewalls

We appear to have had our SFM instance (on-prem, not central) URL removed from all our devices that the hotfix returned "partially cleaned" on.

Unsure if the hotfix has done it, or the exploit impacted it so it was removed.

Anyone else witnessed this?

Hi M8ey 

At this time, there is no indication that the attack accessed anything on the local networks behind any impacted XG Firewall. It appears the attack was designed to download payloads intended to exfiltrate XG Firewall-resident data.

The data for any specific firewall depends upon the specific configuration and may include usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access. Passwords associated with external authentication systems such as AD or LDAP are unaffected.

We are continuing to investigate and expect to release more details of the attack. Please follow https://community.sophos.com/kb/en-us/135412 for further updates.

Hi Sophos User831 

All times UTC

Please see https://community.sophos.com/kb/en-us/135412 for full details of the timeline.

Yes I read that Flo - I have actioned all recommended pints with resetting any local passwords, rebooting etc.

As I use L2TP and Sophos Connect with users authentication with AD I assume these passwords are safe as they were not local users?

Yes, passwords associated with external authentication systems such as AD or LDAP are unaffected.

I noticed the same thing a couple of days ago, but it was before the hotfix was installed. One firewall didn't have an entry for Sophos Firewall Manager IP and another one had some bash command line in it. Firewalls that were not found compromised by the hotfix didn't have a missing entry for SFM. Continuing to investigate here, but have some other issues as well now. One firewall node isn't coming up after put on standby in HA mode and another one's admin site isn't reachable today despite the firewall being online and connected via VPN. Some also show slow login times now...

SFM: Ok so not just us - a little concerning nothings been mentioned about SFM. We had to touch all our devices (50+) to get them to call home to apply password changes / updates / reboots from our SFM.

HA: We will be rebooting our only HA pair tonight in a maintenance window so hopefully we dont have any issues...

Admin Page: If you are on 17.5 MR10 or 11 we note there is a consequence of having a Deny All rule in the firewall, and the ACL Overrides dont apply.  Worked fine previously, but in MR10 it broke.  Theres a KB i can't place at the moment on it.

SFM: Ok so not just us - a little concerning nothings been mentioned about SFM. We had to touch all our devices (50+) to get them to call home to apply password changes / updates / reboots from our SFM.

HA: We will be rebooting our only HA pair tonight in a maintenance window so hopefully we dont have any issues...

Admin Page: If you are on 17.5 MR10 or 11 we note there is a consequence of having a Deny All rule in the firewall, and the ACL Overrides dont apply.  Worked fine previously, but in MR10 it broke.  Theres a KB i can't place at the moment on it.

Hello!, yes, I have installed 17.5.10 MR-10 and I no idea what is the Latest hotfix version that I have to have..

On the other hand when we rebooted we still on the same version.. Probably it´s because all that you said. Can you share mith me the link where you have seen this? Any suggest?

Many thanks!

The article on the exploit is at https://community.sophos.com/kb/en-us/135412

There isn't a new MR for this, its a code drop via auto update. This link shows how to identify if your units been exploited and steps to take.

If you are having access issues to your admin page after upgrading to MR10 or 11, this is the article to read:  https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/119385/sophos-xg-firewall-v17-5mr10-device-access-acls-may-not-work-as-expected-when-a-custom-drop-all-firewall-rule-is-configured

One of our techs earlier ran an upgrade to MR11 by accident while investigating if a unit was affected by the exploit, so we experienced admin lockout due to the above rule being set.

After analyzing the components and intent of the attack, Sophos published a SophosLabs Uncut article, “Asnarok” Trojan targets firewalls, to share its current understanding of the malware.

So they just confirmed that the value for the SFM host is related to the attack in their article at news.sophos.com/.../

Thanks... comprehensive review. Trying to determine if it gives us comfort though!

I know distribution was put on hold today for shipments, we had a number of units ship Friday which go into production this week. Any particular processes we should follow? Is there an ETA on a new MR that has the CVE resolved?