Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 18 replies
  • Subscribers 35 subscribers
  • Views 11959 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

KBA 135412 - Fixing SQL injection vulnerability, impact on SSL VPN

Jon Beets

The article suggests disabling HTTPS Admin Services and User Portal access on the WAN interface. While I have never had the Admin Services interface enabled, I have had the User Portal, as this was required to set up remote clients for VPN access. Is this still the case at least with a SSL VPN? If I have the User Portal disabled, will I have to manually send the EXE for the VPN client, and will I have to resend it, if any VPN settings/policies are changed?



This thread was automatically locked due to age.
Parents
  • 0

    Same here. We strictly disable https on WAN zone on all our client's firewall and only limit access to a few trusted static IPs.

    however, I can see that some firewalls got affected

    Alert
    14:45
     
    Hotfix applied for SQL Injection and partially cleaned. Additional steps may be required to secure your network. Please read KBA-135412 for possible next steps.

     

    this is very unpleasant. I'm currently resetting all admin passwords and analyzing log files.

  • 0 in reply to Samuel Heinrich

    Agreed. I would like to know sooner than later whether I should be resetting passwords en masse. Seems at this point until they figure more out about what the malware did, it might be a wise precaution.

  • 0 in reply to wineoh

    Hi  

    At this time, there is no indication that the attack accessed anything on the local networks behind any impacted XG Firewall. It appears the attack was designed to download payloads intended to exfiltrate XG Firewall-resident data.

    The data for any specific firewall depends upon the specific configuration and may include usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access. Passwords associated with external authentication systems such as AD or LDAP are unaffected.

    We are continuing to investigate and expect to release more details of the attack. Please follow https://community.sophos.com/kb/en-us/135412 for further updates.

  • +1 in reply to FloSupport

    After analyzing the components and intent of the attack, Sophos published a SophosLabs Uncut article, “Asnarok” Trojan targets firewalls, to share its current understanding of the malware.

  • 0 in reply to FloSupport

    Thanks for including the explanatory article on the intrusion. I have rejected it as the answer to this particular post, as the question is specifically about SSL VPN operation and the need to have the User Port open on the WAN, which has been answered.

Reply Children
No Data