Cybersecurity Threat Advisory 0030-20: Sophos Firewall Zero-Day (CVE-2020-12271)
Unpatched versions of Sophos XG Firewalls are potentially vulnerable to SQL Injection attacks. Sophos pushed out an automatic update, but some devices may need to be manually patched or rebooted for the changes to take effect. Specific guidance is included in the recommendations section below.
Technical detail and additional information
What is the threat?
A zero-day vulnerability has been detected in all versions of both physical and virtual Sophos XG firewalls that allows an attacker to perform a pre-authentication SQL injection attack. Specifically, this affects an XG firewall that has been configured with the administration interface (HTTPS admin service), the user portal, or any firewall service (i.e. SSL VPN) that shares a port with the admin services or user portal exposed to the internet. This means that an attacker could exploit this vulnerability and download malware (named Asnarok by Sophos researchers) on the device which could allow for the exfiltration of usernames, hashed passwords and more for user accounts for the firewall, and for accounts that can remotely access the firewall. Notably, Sophos has ensured that passwords for external authentication systems such as active directory (AD) or LDAP are not vulnerable to having their credentials exfiltrated.
Why is this noteworthy?
With Sophos being a popular and trusted choice for firewall products and the nature of a zero-day attack, many users of this line of firewall products may not be aware they are at risk. It appears that the nature of the vulnerability is critical enough that Sophos is reaching out to customers that their devices have been compromised and to follow provided remediations. While we have seen some of our customers notified this way, we would not recommend relying on Sophos to confirm if you have been compromised. Regarding the amount of XG firewalls that could be compromised, it is very common for a firewall to have services and administrative features exposed to the internet for ease of use, as well as functions such as VPN access. This likely means that many of the existing XG firewalls could be vulnerable to having their credentials exfiltrated.
What is the exposure or risk?
By exploiting this vulnerability an attacker can execute a SQL injection and download malware to the device. After the malicious payload is delivered to the device, the malware can exfiltrate an assortment of data including usernames and hashed passwords for the firewall device admin, firewall portal admins, and user accounts that are used for remote access to the device. In addition to this user information, information about the firewall itself can be stolen. This includes the firewall’s license and serial number, as well as user emails. Sophos has stated that their investigation did not indicate that attackers used these stolen passwords to access the XG firewalls, or any device on the network beyond the firewall. However, if this vulnerability remains unpatched on any given device there is no shortage of damage that could be done if an attacker were able to successfully compromise passwords the firewall and the associated user accounts.
What are the recommendations?
Sophos has already released an update that should patch all XG firewalls automatically, provided they are configured to allow automatic updates. In addition, there has been a special notification box in the firewall’s control panel that indicates if the device was compromised. Sophos has also released several recommendations to prevent or remediate this exploit that we have included below:
- Reset device administrator accounts.
- Reboot any XG device(s)
- Reset passwords for all local user accounts
- Although the passwords were hashed, it is recommended that passwords are reset for any accounts where the XG credentials might have been used.
Additionally, Sophos recommends disabling publicly facing HTTPS admin services and the user portal if they are not in use, as detailed in the link below:
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.