SQL injection bug exploited to steal credentials from vulnerable devices

Sophos has scrambled to release a security update to address a zero-day vulnerability in its XG Firewall/SFOS technology.

The patch resolves an SQL injection vulnerability that was first spotted in the wild in cyber-attacks last week.

Sophos discovered the problem following a tip-off that something was amiss from one of its customers.

A subsequent investigation revealed that the organization had come under attack because of SQL injection vulnerability in an internet-facing component of its XG Firewall.

The attack created a means for attackers to remotely retrieve firewall access (e.g. usernames, passwords), insert a one-line command into a database table, download a shell script, and ultimately plant the Asnarok trojan on vulnerable devices.

“This attack revealed a previously unknown SQL injection vulnerability that led to remote code execution on some of our firewall products,” a detailed technical write-up of the attack by Sophos explains.

“The vulnerability has since been remediated.”

In response to questions from The Daily Swig on the impact of the attack, Sophos said: “The SQL injection vulnerability was used to gain access, but by itself it did not give the attacker access to information on the firewall.”

The company added: “Once they gained access, they then used the Asnarok trojan to attempt to exfiltrate any retrieved information from the firewall.”

Known unknown

Both physical and virtual XG Firewall units are vulnerable to the “previously unknown pre-auth SQL injection vulnerability”, Sophos admits in a knowledge base article.

Systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone are potentially vulnerable.

Firewall installations manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone and on the same port as the admin or User Portal are also at risk of attack.

Sophos has released a hotfix, rolled out automatically to those with auto-update enabled, to customers of supported versions of its enterprise firewall technology.

“This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack,” according to the security vendor.

A timeline on the incident in Sophos’ advisory reveals that the “attack affecting multiple customers” though the scale of the problem remains unclear and the number of impacted customers unconfirmed.

Independent analysis by independent security experts suggest that many thousands of devices might have been vulnerable, based on data from Shodan scans and traffic to a malicious domain established solely to run the attack, among other evidence.

Reaction to the flaw has been mixed, with some infosec pros praising Sophos for its transparency while other faulted it for failing to follow up and promise a code audit.

Although the amount of damage caused by the attack seems to be limited things might easily have been far worse, especially if ransomware had been involved.

READ MORE Cloud security: Azure environments at risk from on-prem privilege escalation attack