Alert - Sophos XG Firewall Vulnerability - CVE-2020-12271

Number: AL20-013
Date: 29 April 2020

OVERVIEW

On 22 April 2020 Sophos investigated an incident which lead to the discovery of a pre-authentication AuthenticationA process or measure used to verify a users identity. SQL Injection vulnerability VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations. , tracked as CVE-2020-12271, in its XG Firewall FirewallA security barrier placed between two networks that controls the amount and kinds of traffic that may pass between the two. This protects local system resources from being accessed from the outside. firmware. This vulnerability affects physical and virtual implementations of the XG Firewall and was seen by Sophos being actively exploited in the wild.

Sophos has since released a hotfix to address the vulnerability for all supported versions (17.0, 17.1, 17.5, 18.0), and has published a report describing the malware MalwareMalicious software designed to infiltrate or damage a computer system, without the owner's consent. Common forms of malware include computer viruses, worms, Trojans, spyware, and adware. (which Sophos calls “Asnarok”) that was used in the incident.

DETAILS

Successful exploitation requires access to the administrative interface InterfaceA boundary across which two systems communicate. An interface might be a hardware connector used to link to other devices, or it might be a convention used to allow communication between two software systems. (HTTPS admin service) or the user portal of the XG Firewall. In addition, other firewall services that have been manually configured to run on the same ports as the admin or user portal may also be affected.

The malware exfiltrates data from XG Firewall appliances. This may include all usernames and the hashed passwords of any local user accounts, including administrative user accounts. Passwords associated with external authentication systems such as Active Directory (AD) or LDAP were not compromised.

SUGGESTED ACTION

Administrators should verify that the hotfix has been applied by viewing the messages section of the Control Center within the XG management interface. Sophos reported that in some instances this message may provide an indication of compromise CompromiseThe intentional or unintentional disclosure of information, which adversely impacts its confidentiality, integrity, or availability. .

For compromised XG Firewall devices that have received the hotfix, Sophos strongly recommends the following additional steps to fully remediate the issue:

•  Reset device administrator accounts
•  Reboot the XG device(s)
•  Reset passwords for all local user accounts

Although the passwords were hashed, it is recommended that passwords are reset for any accounts where the XG credentials might have been reused

Additionally, Sophos recommends disabling HTTPS admin services on the WAN interface. If the user portal is not being used, Sophos also recommends deactivating this service on the WAN as well.

INDICATORS OF COMPROMISE

For reported indicators of compromise, review the Detailed Sophos Analysis article which has been linked in the below REFERENCES section.

REFERENCES

Sophos Knowledge Base Article:
https://community.sophos.com/kb/en-us/135412 
 
Detailed Sophos Analysis:
https://news.sophos.com/en-us/2020/04/26/asnarok/

NOTE TO READERS

The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. (Cyber Centre) operates as part of the Communications Security Establishment.  We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure Critical infrastructureProcesses, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security, or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories, and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and significant harm to public confidence. , Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.

The Cyber Centre can be contacted at:
Email: contact@cyber.gc.ca
Toll Free: 1-833-CYBER-88 (1-833-292-3788)