Sophos XG Firewalls Are Under SQL Injection Zero-Day Attack, Ensure You're Getting The Hotfix

sophos endpoint

Sophos has published an emergency security update to patch a zero-day vulnerability in its XG enterprise firewall product. The patch plugs a hole that was being abused in the wild by hackers. Sophos says that it learned of the zero-they exploit on Wednesday of last week, after receiving a report from one of its customers. The customer reported that it had seen "a suspicious field value visible in the management interface."

After investigation, Sophos determined that it was an active attack on both physical and virtual XG Firewall systems, and not a misconfiguration in its product. The hackers were abusing an SQL injection bug in its database to steal passwords. Sophos says that the attack impacted systems configured using both the administration HTTPS service and the User Portal exposed on the WAN zone.

The attack took advantage of a previously unknown SQL injection vulnerability to access exposed XG devices and was designed to download payloads intended to exfiltrate XG Firewall-resident data. Sophos says the data accessible by the attack from any specific firewall depends on the specific configuration and could have included usernames, along with hashed passwords for the local device admins, portal admins, and user accounts used for remote access. Passwords that were associated with external authentication systems such as AD or LDAP were unaffected.

Impact And Resolution Of The Exploit

Sophos says that at this time, there is no indication that the attack was able to gain access to anything on the local area network behind any impacted XG Firewall. Sophos says that when it was made aware of the issue, it immediately started an investigation. After determining the components and impact of the attack, it issued a hotfix to all supported XG Firewall/SFOS versions.

The hotfix eliminated the SQL injection vulnerability preventing further exploitation. The hotfix also stopped the XG Firewall from accessing any attacker infrastructure and cleaned up any remnants from the attack. Anyone running one of the potentially impacted firewalls can get full remediation steps and more details directly from the Sophos knowledge base article concerning the vulnerability. And, if auto-updating hotfixes are not enabled in a firewall, the company details how to enable them here.

In other security news, last week Nintendo announced that 160,000 accounts had been compromised in a global hacking campaign.