The security firm Sophos and its customers were victimized when a previously unknown SQL injection vulnerability in the company’s physical and virtual XG Firewall units was exploited.
The attack was first reported on April 22 when a suspicious field value visible in the firewall management interface was detected. The attack used a previously unknown pre-auth SQL injection vulnerability that created a remote code execution situation that enabled the attackers to gain access to exposed XG devices with the intention of exfiltrating XG Firewall-resident data. This included all local usernames and hashed passwords of any local user accounts. However, Sophos does not believe any data was removed from the affected accounts.
“The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected,” Sophos said.
Sophos’ initial reaction was to determine the components of the attack and to apply a hotfix that eliminated the threat to all supported XG Firewall/SFOS versions. The company notified its customers of the threat, whether or not their system was involved in the attack and when the hotfix was applied via a pop-up message on the XG management interface.
“The exploit of this vulnerability resulted in the attacker being able to insert a one-line command into a database table. This initial injected command triggered an affected device to download a Linux shell script named Install.sh from a remote server on the malicious domain sophosfirewallupdate[.]com,” the company said.
The script ran then ran a series of poorly designed Postgres SQL commands that instead of modifying certain tables in the database in fact made visible the attacker’s own injected SQL command line on the user interface of the firewall’s administrative panel for all to see.
Additional shells were dropped to maintain persistence and to set up the scenario for removing data from the impacted system.
