Sophos pushes out emergency patch to fix XG Firewall zero-day vulnerability
Following the discovery of an SQL injection vulnerability in its XG Firewall product, Sophos has released an emergency patch to protect users against hackers.
The vulnerability affects both physical and virtual XG Firewall units, and signs of attacks were first noticed last week. Attackers exploiting the vulnerability on unpatched firewalls would be able to access all local usernames and hashed passwords of any local user accounts, including local device admins, user portal accounts, and accounts used for remote access.
See also:
- Hackers are selling two serious Zoom zero-day vulnerabilities for $500,000
- Hundreds of thousands of stolen Zoom accounts for sale on hacker forums for next to nothing
- Security researcher discovers vulnerabilities in iOS and macOS that could be exploited to hack webcams
Sophos explains that it was alerted to a "suspicious field value visible in the management interface" of the XG Firewall on April 22. The company goes on to say that it "commenced an investigation and the incident was determined to be an attack against physical and virtual XG Firewall units".
In a security advisory about the issue, Sophos says:
The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected. For reference, the default configuration of XG Firewall is that all services operate on unique ports. The attack used a previously unknown pre-auth SQL injection vulnerability to gain access to exposed XG devices. It was designed to exfiltrate XG Firewall-resident data.
The company has also published details of its investigation into what it describes as a "coordinated attack by an unknown adversary" where it goes into some detail about how the vulnerability was exploited.
A hotfix is available, and Sophos offers up additional advice:
- Reset device administrator accounts
- Reboot the XG device(s)
- Reset passwords for all local user accounts
- Although the passwords were hashed, it is recommended that passwords are reset for any accounts where the XG credentials might have been reused
Image credit: Kristi Blokhin / Shutterstock