Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 16 replies
  • Answers 1 answer
  • Subscribers 32 subscribers
  • Views 2777 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SQL Injection - Admin Portal IP Restricted - How?

IT-Support-247

Hi there

We had the notification on our XG 210 to say that it was Partially Cleaned (ie compromised) etc.

The User Portal is disabled on WAN, never used it.

The Admin Portal is enabled on WAN, but access is restricted to our head office trusted IP only. It's not usually something I would ever enable, but the device sits in a secure datacentre and remote access is essential.

I've seen a lot of people here ask a similar question, but nobody has given an actual answer.

How can the device be potentially compromised if it's only accessible from one trusted IP? This restriction DOES work by the way, I have tested thoroughly.

The admin portal login page doesn't even appear for anyone to carry out a SQL injection attack... anyone enlighten me?

Thanks! 



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to IT-Support-247

    Hi  

    The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected. For reference, the default configuration of XG Firewall is that all services operate on unique ports.

    Sophos recommends using Sophos Connect and also using OTP/2FA.

    We will soon release more details of the attack and its payloads. Please follow our https://community.sophos.com/kb/en-us/135412 for further updates.

    Regards,

  • 0 in reply to FloSupport

    After analyzing the components and intent of the attack, Sophos published a SophosLabs Uncut article, “Asnarok” Trojan targets firewalls, to share its current understanding of the malware.

  • 0 in reply to FloSupport

    Hi Flo

    Thanks for the detailed article - very informative and nicely put together.

    However, it still doesn't address exactly how they targeted the devices with SQL Injection if the device is not accessible from anywhere except for a trusted IP source..?

    If you cannot get to the login form, how can you inject the malicious SQL Commands?

  • 0 in reply to FloSupport

    Hello,

    I also don't have port 8443 or 443 open for WAN settings. I have admin services on for WAN on HTTPS but i am using a different port.

    So, I dont understand how the firewall was compromised. Is it a False Positive?

     

  • 0 in reply to tom greene

    Port scanning your WAN connection will reveal ports that have services running on them. They can then just launch the attack against whatever ports you have open.

    Changing the default ports won't stop an attack like this if they scan for open ports.

  • 0 in reply to JasP
    I’m not quite sure why this topic has derailed into a discussions about ports. I was asking about how it’s possible to be compromised if access to the Admin portal is restricted by IP. Ports is Irrelevant. You shouldn’t even be able to see what ports are open anyway if incorrect IPs are unable to connect.
  • 0 in reply to IT-Support-247

    Hello,

    Was the User Portal accessible from WAN without filtering the source IPs ?

     

    Because the issue is both on the Admin Portal and the User Portal.

  • 0 in reply to VikenNajarian

    Hi Viken

    User Portal completely disabled on all interfaces, including WAN. We've never used it.

    Admin Portal available on WAN, but only allowing connection from our main IP at our head office. I have tested this several times and it works. It's been in place for over a year now. We also have Geo-IP filtering enabled for inbound as well, excluding all countries except for a few that we need.

    So... I am a bit confused. Maybe the fact that WAN was enabled, was enough for the Hotfix to trigger a "compromised" message..?

  • 0 in reply to IT-Support-247

    IT-Support-247 said:

    Hi Viken

    User Portal completely disabled on all interfaces, including WAN. We've never used it.

    Admin Portal available on WAN, but only allowing connection from our main IP at our head office. I have tested this several times and it works. It's been in place for over a year now. We also have Geo-IP filtering enabled for inbound as well, excluding all countries except for a few that we need.

    So... I am a bit confused. Maybe the fact that WAN was enabled, was enough for the Hotfix to trigger a "compromised" message..?

     

    Hello,

    How did you configure your Geo-IP filtering on the WAN Admin Portal? Did you allow directly countries in the ACL Exceptions?

  • 0 in reply to VikenNajarian

    My bad, I don't have any Geo-IP filtering enabled on Admin Portal, only on the Firewall rules.

    The admin portal rule only allows trusted IPs. Everything that doesn't match, gets dropped.