On April 22, Sophos published a knowledge base entry on the Sophos Community regarding the discovery of a zero-day vulnerability in the Sophos XG Firewall that was exploited in the wild. According to Sophos, they were able to identify “an attack against physical and virtual XG Firewall units” after reviewing the report of a “suspicious field value” in the XG Firewall’s management interface. The attack targets the XG Firewall administration interface, which is accessible via the user portal, over HTTPs, or on the WAN zone. They discovered that this also affected systems when the port used for the administration interface or user portal was also used to expose a firewall service, such as the SSL VPN.
Here’s a comment from Rody Quinlan, Security Response Manager at Tenable
“The SQL injection zero-day (CVE-2020-12271) affects the XG Firewall/Sophos Firewall Operating System (SFOS) and could allow attackers to exfiltrate “XG Firewall-resident data,” including usernames, hashed passwords, local user account credentials depending on the configuration.
“The vulnerability targets the XG Firewalls’s administration interface which is accessible via the user portal, accessible over HTTPs, or on the WAN zone. Systems are also affected when the port used for the user portal or administration interface is used to expose a firewall service, such as the SSL VPN.
“Attackers could reuse the credentials collected in a successful attack, including admin passwords, for remote access, or access to other applications, within an organization. The attack that triggered Sophos’s initial investigation and discovery of the zero-day also noted the presence of malware, Asnarok, on the device, that could modify services to ensure it ran each time the firewall was booted to maintain persistence. Sophos has published a separate article, “Asnarök Trojan targets firewalls” which provides more detail.
“As well as implementing the hotfix pushed out by Sophos, organizations should work to reduce the attack surface where possible by disabling the HTTPS Admin Services and User Portal access on the WAN interface.”