Number: AL20-013
Date: 29 April 2020
OVERVIEW
On 22 April 2020 Sophos investigated an incident which lead to the discovery of a pre-authentication SQL Injection vulnerability , tracked as CVE-2020-12271, in its XG Firewall firmware. This vulnerability affects physical and virtual implementations of the XG Firewall and was seen by Sophos being actively exploited in the wild.
Sophos has since released a hotfix to address the vulnerability for all supported versions (17.0, 17.1, 17.5, 18.0), and has published a report describing the malware (which Sophos calls “Asnarok”) that was used in the incident.
DETAILS
Successful exploitation requires access to the administrative interface (HTTPS admin service) or the user portal of the XG Firewall. In addition, other firewall services that have been manually configured to run on the same ports as the admin or user portal may also be affected.
The malware exfiltrates data from XG Firewall appliances. This may include all usernames and the hashed passwords of any local user accounts, including administrative user accounts. Passwords associated with external authentication systems such as Active Directory (AD) or LDAP were not compromised.
SUGGESTED ACTION
Administrators should verify that the hotfix has been applied by viewing the messages section of the Control Center within the XG management interface. Sophos reported that in some instances this message may provide an indication of compromise .
For compromised XG Firewall devices that have received the hotfix, Sophos strongly recommends the following additional steps to fully remediate the issue:
- Reset device administrator accounts
- Reboot the XG device(s)
- Reset passwords for all local user accounts
Although the passwords were hashed, it is recommended that passwords are reset for any accounts where the XG credentials might have been reused
Additionally, Sophos recommends disabling HTTPS admin services on the WAN interface. If the user portal is not being used, Sophos also recommends deactivating this service on the WAN as well.
INDICATORS OF COMPROMISE
For reported indicators of compromise, review the Detailed Sophos Analysis article which has been linked in the below REFERENCES section.
REFERENCES
Sophos Knowledge Base Article:
https://community.sophos.com/kb/en-us/135412
Detailed Sophos Analysis:
https://news.sophos.com/en-us/2020/04/26/asnarok/
NOTE TO READERS
The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment. We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure , Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.
The Cyber Centre can be contacted at:
Email: contact@cyber.gc.ca
Toll Free: 1-833-CYBER-88 (1-833-292-3788)