Sophos XG Firewall SQL Injection Vulnerability
Sophos has released details of an SQL injection zero day vulnerability affecting their XG Firewall product series. They claim that an unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code or extract sensitive information.
Summary
Sophos has released details of an SQL injection zero day vulnerability affecting their XG Firewall product series. They claim that an unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code or extract sensitive information.
Affected platforms
The following platforms are known to be affected:
Sophos XG Firewall (physical and virtual) -- All firmware versions
Threat details
At the time of publication, the root cause of the vulnerability is unclear; however, Sophos has confirmed they have observed attacks exploiting it. These attacks appear to be using an unidentified payload to exfiltrate XG Firewall-resident data. This data is specific to the affected firewall configuration and may include usernames and hashed passwords for local device administrators, XG Firewall portal administrators, and remote user accounts.
Remediation advice
Sophos has released a hotfix update to address this vulnerability. Affected organisations are advised to apply this update immediately.
Additionally, Sophos has advised affected organisations to disable all XG Firewall user and administration interfaces on Internet facing ports. Guidance on how to do this can be found in Sophos KBA 135414.
Last edited: 1 May 2020 4:09 pm