Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 18 replies
  • Subscribers 35 subscribers
  • Views 11959 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

KBA 135412 - Fixing SQL injection vulnerability, impact on SSL VPN

Jon Beets

The article suggests disabling HTTPS Admin Services and User Portal access on the WAN interface. While I have never had the Admin Services interface enabled, I have had the User Portal, as this was required to set up remote clients for VPN access. Is this still the case at least with a SSL VPN? If I have the User Portal disabled, will I have to manually send the EXE for the VPN client, and will I have to resend it, if any VPN settings/policies are changed?



This thread was automatically locked due to age.
  • 0

    Same here. We strictly disable https on WAN zone on all our client's firewall and only limit access to a few trusted static IPs.

    however, I can see that some firewalls got affected

    Alert
    14:45
     
    Hotfix applied for SQL Injection and partially cleaned. Additional steps may be required to secure your network. Please read KBA-135412 for possible next steps.

     

    this is very unpleasant. I'm currently resetting all admin passwords and analyzing log files.

  • 0

    If you disable the User Portal, you do NOT need to re-send the EXE or anything. I typically have the User Portal enabled on WAN for initial client deployment so they can download it themselves, then I cut it off on the Device Access tab.

    Any webpage with an input field like username/pass such as the User Portal or the Admin login page is exploitable using SQL injection. EDIT: exploitable *IF* input validation was not implemented, and fuzz techniques weren't implemented in Quality Assurance department

  • 0 in reply to Samuel Heinrich

    Agreed. I would like to know sooner than later whether I should be resetting passwords en masse. Seems at this point until they figure more out about what the malware did, it might be a wise precaution.

  • 0 in reply to apalm123

    Hello apalm123,

    it is more than obvious that the developers did nothing like that. It surprises me that this product received EAL4 + certification about two weeks ago.
    Incredibly...

    Regards

    alda

  • 0 in reply to alda

    Can you check on yours XGs if You can reach user portal even its not selected on WAN interface ?

    Only what i got selected on WAN is SSLVPN BUT i still can access a user portal...

  • 0 in reply to Regex

    Yes I can! Is it possible? Please look in the logs too, in some of our devices are deleted. Who did delete the logs, the hotfix or the hackers?

  • 0 in reply to Regex

    Hello Roman,

    it's really crazy.

    Unfortunately I have to confirm your finding, I have deactivated WebAdmin and UserPortal on the WAN zone and only SSL VPN is active but I can connect to UserPortal!
    I have access to WebAdmin only through ACL rules from defined IP networks, but although I tried to access UserPortal from a mobile phone (and this network is definitely not allowed through ACL), access to UserPortal is possible but not to WebAdmin.

    Probably better without comment, I don't think the developers did a good job!

    Regards

    alda

  • 0 in reply to alda

    Well thats seems to be another potential vulnerability. Ofcourse WebAdmin access Should be turned off via WAN -> but userportal should be also restricted. I hope that sophos will fix it ;) If im good remember on v17.5 it was fixed but i cant remember directly ;)

  • 0 in reply to alda

    I can confirm this also.  Only SSL VPN is enabled on WAN and User portal still accessible.

  • 0 in reply to apalm123

    Hi,

    I see you have edited your paragraph about SQL Injection. IMO it is bad programming practice and points to poor code review and code examination. It really is SQL web programming 101 to ensure SQL queries are not exploitable in this way; there are a plethora of best practice advice out there on how to prevent this happening. The fact that it was allowed in a firewall product is extremely concerning.

    Jon