KBA 135412 - Fixing SQL injection vulnerability, impact on SSL VPN

Same here. We strictly disable https on WAN zone on all our client's firewall and only limit access to a few trusted static IPs.

however, I can see that some firewalls got affected

this is very unpleasant. I'm currently resetting all admin passwords and analyzing log files.

Same here. We strictly disable https on WAN zone on all our client's firewall and only limit access to a few trusted static IPs.

however, I can see that some firewalls got affected

this is very unpleasant. I'm currently resetting all admin passwords and analyzing log files.

Agreed. I would like to know sooner than later whether I should be resetting passwords en masse. Seems at this point until they figure more out about what the malware did, it might be a wise precaution.

Hi wineoh 

At this time, there is no indication that the attack accessed anything on the local networks behind any impacted XG Firewall. It appears the attack was designed to download payloads intended to exfiltrate XG Firewall-resident data.

The data for any specific firewall depends upon the specific configuration and may include usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access. Passwords associated with external authentication systems such as AD or LDAP are unaffected.

We are continuing to investigate and expect to release more details of the attack. Please follow https://community.sophos.com/kb/en-us/135412 for further updates.

After analyzing the components and intent of the attack, Sophos published a SophosLabs Uncut article, “Asnarok” Trojan targets firewalls, to share its current understanding of the malware.

Thanks for including the explanatory article on the intrusion. I have rejected it as the answer to this particular post, as the question is specifically about SSL VPN operation and the need to have the User Port open on the WAN, which has been answered.