Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 33 subscribers
  • Views 4535 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

KBA 135412 - XG Firewall Vulnerability - SQL Injection - HTTPS 8443 Port

VikenNajarian

Hello,

 

I have checked all the firewalls I'm managing for my custommers and all I can say is that on 46 firewalls that I manage, 9 have been compromised with this SQL injection. The only thing which differs on the 9 compromised firewalls compared to the 37 others, is the HTTPS port used for the User Portal.

The 9 compromised firewalls were using the 8443 HTTPS port for User Portal. The 37 other firewalls are not using this port, but another one and they are not affected by this attack.

 

So maybe the vulnerability can only affect the firewalls with the 8443 HTTPS port on the user portal ?

 

Regards.



This thread was automatically locked due to age.
Parents
  • 0

    Same here. I've identified 5 out of 15 firewalls so far.

    all of them show the messages

    Alert
    14:45
     
    Hotfix applied for SQL Injection and partially cleaned. Additional steps may be required to secure your network. Please read KBA-135412 for possible next steps.

     

    This should not be possible since we do not allow https from WAN. We strictly disable it and except only a handful of trusted IP addresses. 

    Sophos needs to clarify ASAP if this is false positive or if the exploit also affected WAF, Userportal, SSLVPN... services.

Reply
  • 0

    Same here. I've identified 5 out of 15 firewalls so far.

    all of them show the messages

    Alert
    14:45
     
    Hotfix applied for SQL Injection and partially cleaned. Additional steps may be required to secure your network. Please read KBA-135412 for possible next steps.

     

    This should not be possible since we do not allow https from WAN. We strictly disable it and except only a handful of trusted IP addresses. 

    Sophos needs to clarify ASAP if this is false positive or if the exploit also affected WAF, Userportal, SSLVPN... services.

Children
  • 0 in reply to Samuel Heinrich

    Hi  

    We sincerely regret any inconvenience this has caused. This is not a false positive.

    Details are found in the KBA. It will continue to be updated as more information becomes available (https://community.sophos.com/kb/en-us/135412):

    • Sophos received a report on April 22, 2020, at 20:29 UTC regarding an XG Firewall with a suspicious field value visible in the management interface. Sophos commenced an investigation and the incident was determined to be an attack against physical and virtual XG Firewall units. The attack affected systems configured with either the administration (HTTPS service) or the User Portal exposed on the WAN zone.

    Regards,

  • 0 in reply to Samuel Heinrich

    It definitely could have exploited a login field on the User Portal if that was exposed on WAN.

    Any page with an entry field like username/pass such as the User Portal or the Admin login page is exploitable using SQL or code injection. This can insert values into the database, and also extract values such as password hashes. Also any BASIC software development lifecycle, with an eye for security could have prevented this. It's as basic as simple input validation checks to prevent this. So sad that Sophos had to learn of this vulnerability the hard way with its customers taking the hit for the big miss on oversight. Their software QA department should have implemented fuzzing steps to detect bad input on all input fields...