Sophos XG Firewall SQL Injection Vulnerability

Sophos has released details of an SQL injection zero day vulnerability affecting their XG Firewall product series. They claim that an unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code or extract sensitive information.

Threat ID:: CC-3436
Category:: Exploit
Threat Severity:: High
Threat Vector:: Zero day
Published:: 27 April 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Sophos XG Firewall (physical and virtual) -- All firmware versions

Threat details

At the time of publication, the root cause of the vulnerability is unclear; however, Sophos has confirmed they have observed attacks exploiting it. These attacks appear to be using an unidentified payload to exfiltrate XG Firewall-resident data. This data is specific to the affected firewall configuration and may include usernames and hashed passwords for local device administrators, XG Firewall portal administrators, and remote user accounts.

Remediation advice

Sophos has released a hotfix update to address this vulnerability. Affected organisations are advised to apply this update immediately.

Additionally, Sophos has advised affected organisations to disable all XG Firewall user and administration interfaces on Internet facing ports. Guidance on how to do this can be found in Sophos KBA 135414.

Last edited: 1 May 2020 4:09 pm