Cyber-security company Sophos released Saturday an emergency security update to fix a zero-day vulnerability in its XG enterprise firewall software that hackers exploited in the wild. Sophos said on late Wednesday, April 22, it first heard of the zero-day after receiving a message from one of its clients. The customer reported seeing “a suspicious field value visible in the management interface.” Sophos concluded this was an aggressive attack after reviewing the complaint, and not a mistake in its product. Hackers attacked Sophos XG Firewall devices which were exposed on the internet to their administration (HTTPS service) or the user portal control panel. Sophos said the hackers were using the vulnerability of SQL injection to download a payload to their computer. The payload then stole XG Firewall files. The data stolen could include usernames and hashed passwords for firewall system administrators, firewall portal administrators, and user accounts used for remote system access. Sophos said passwords for other external authentication schemes for customers, such as AD or LDAP, were unaffected. The company said no evidence was found during its investigation that hackers used the stolen passwords to access XG Firewall apps, or anything outside the firewall, on internal networks of their customers. The UK company, famous for its antivirus software, said it had already prepared and pushed an automatic update to patch all XG firewalls that have allowed the auto-update feature. A select box in the XG Firewall control panel will also be added to the security update to let system owners know if their system was compromised. To organizations that have compromised computers, Sophos suggests a series of steps that include password resets and system reboots:
Restore portal administrator and server administrator accounts Reboot XG device(s) Restore passwords for all local user accounts While passwords have been hashed, it is recommended that passwords be reset for any accounts that may have XG credentials.
Instructions to deactivate the WAN interface control panel can be found here.