CATEGORIES
home IT/Enterprise

Sophos XG Firewalls Are Under SQL Injection Zero-Day Attack, Ensure You're Getting The Hotfix

by Shane McGlaunSunday, April 26, 2020, 01:27 PM EDT
sophos endpoint

Sophos has published an emergency security update to patch a zero-day vulnerability in its XG enterprise firewall product. The patch plugs a hole that was being abused in the wild by hackers. Sophos says that it learned of the zero-they exploit on Wednesday of last week, after receiving a report from one of its customers. The customer reported that it had seen "a suspicious field value visible in the management interface."

After investigation, Sophos determined that it was an active attack on both physical and virtual XG Firewall systems, and not a misconfiguration in its product. The hackers were abusing an SQL injection bug in its database to steal passwords. Sophos says that the attack impacted systems configured using both the administration HTTPS service and the User Portal exposed on the WAN zone.

The attack took advantage of a previously unknown SQL injection vulnerability to access exposed XG devices and was designed to download payloads intended to exfiltrate XG Firewall-resident data. Sophos says the data accessible by the attack from any specific firewall depends on the specific configuration and could have included usernames, along with hashed passwords for the local device admins, portal admins, and user accounts used for remote access. Passwords that were associated with external authentication systems such as AD or LDAP were unaffected.

Impact And Resolution Of The Exploit

Sophos says that at this time, there is no indication that the attack was able to gain access to anything on the local area network behind any impacted XG Firewall. Sophos says that when it was made aware of the issue, it immediately started an investigation. After determining the components and impact of the attack, it issued a hotfix to all supported XG Firewall/SFOS versions.

The hotfix eliminated the SQL injection vulnerability preventing further exploitation. The hotfix also stopped the XG Firewall from accessing any attacker infrastructure and cleaned up any remnants from the attack. Anyone running one of the potentially impacted firewalls can get full remediation steps and more details directly from the Sophos knowledge base article concerning the vulnerability. And, if auto-updating hotfixes are not enabled in a firewall, the company details how to enable them here.

In other security news, last week Nintendo announced that 160,000 accounts had been compromised in a global hacking campaign.

Tags:  security, Sophos, Firewall, zeroday
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment