Sophos XG Firewall had log-in screen SQL injection vulnerability

Posted on Tuesday, April 28 2020 @ 11:03 CEST by Thomas De Maesschalck
ARS Technica warns attackers are targeting a popular firewall solution from Sophos. Hackers discovered that the Sophos XG Firewall uses a custom operating system that contains a pre-authentication SQL injection flaw. Or in other words: anyone with access to the log-in screen of the firewall could potentially exploit this. The zero-day attack's purpose primarily seems to be data theft:
With that toehold in systems, it downloaded and installed a series of scripts that ultimately executed code intended to make off with users’ names, usernames, the cryptographically hashed form of the passwords, and the salted SHA256 hash of the administrator account’s password. Sophos has delivered a hotfix that mitigates the vulnerability.

Other data targeted by the attack included a list of the IP address allocation permissions for firewall users; the version of the custom operating system running; the type of CPU; the amount of memory that was present on the device; how long it had been running since the last reboot; the output of the ifconfig, a command-line tool; and ARP tables used to translate IP addresses into domain names.
Sophos rolled out a hotfix to offer protection. Users of the Sophos XG Firewall should install the hotfix as soon as possible.

The attack is quite sophisticated and likely required weeks or even months of study of the inner workings of the firewall.


About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.



Loading Comments