Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security IT Technology

Hackers Are Exploiting a Sophos Firewall Zero-day (zdnet.com) 12

Cyber-security firm Sophos has published an emergency security update to patch a zero-day vulnerability in its XG enterprise firewall product that was being abused in the wild by hackers. From a report: Sophos said it first learned of the zero-day on late Wednesday, April 22, after it received a report from one of its customers. The customer reported seeing "a suspicious field value visible in the management interface." After investigating the report, Sophos determined this was an active attack and not an error in its product. "The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices," Sophos said in a security advisory today. Hackers targeted Sophos XG Firewall devices that had their administration (HTTPS service) or the User Portal control panel exposed on the internet. Sophos said the hackers used the SQL injection vulnerability to download a payload on the device. This payload then stole files from the XG Firewall.
This discussion has been archived. No new comments can be posted.

Hackers Are Exploiting a Sophos Firewall Zero-day

Comments Filter:
  • Iptables, netfilter, PF are all pretty good...

  • by bobstreo ( 1320787 ) on Monday April 27, 2020 @11:06AM (#59996950)

    Why bother even having a firewall if you do this? You are just a ticking time bomb waiting for something (bad) to happen.

    I mean seriously:

    "devices that had their administration (HTTPS service) or the User Portal control panel exposed on the internet"

    Not only should admin ports and control panels be blocked on the Internet side, they should also be unavailable to the internal networks, except for the people who need to admin and control the firewalls.

    • The problem is most companies don't want to pay for proper IT services. I get it IT services are not cheap, to pay market rate for IT Guys they will probably be some of your highest-paid employees, and this is only for a cost center. Also, any single job an IT guy does is usually pretty easy any schlub can do it. Setup a firewall, follow the directions on the quick start form and you are all set. Expand networks with a switch easy. Keep your email server running.

      The reason why you need IT Staff is beca

      • The reason why you need IT Staff is because they see the bigger IT Infrastructure.

        So, if you have a company with 3 or 4 employees doing the day-to-day stuff of making money, how big of an IT staff should you have?

        Companies that buy internet appliances usually expect them to be "easy to use and secure", or at least "secure by default", simply because they cannot afford to have an "IT Staff".

        • You should not even have any kind of firewall needing configuration with that size. Just a "Reject all incoming" box, which is nicely handled by your nat.

          You really need to outsource all IT jobs, and not host anything on premise with so few people.

    • Why bother even having a firewall if you do this? You are just a ticking time bomb waiting for something (bad) to happen.

      I mean seriously:

      "devices that had their administration (HTTPS service) or the User Portal control panel exposed on the internet"

      Not only should admin ports and control panels be blocked on the Internet side, they should also be unavailable to the internal networks, except for the people who need to admin and control the firewalls.

      The real issue here is the User Portal part. It's trivial to not have the admin interface exposed. In fact, Sophos offers rich options for exceptions, where you can have the various admin methods (web, SSH, telnet) available from specific IPs or subnets only. But the User Portal... that's meant to grant users user-facing things, like the ability to download the VPN client. Or manage quarantined e-mail. It's meant to be exposed, much like Exchange's ActiveSync/OWA interface.

      That the user portal was vu

    • by XXongo ( 3986865 )

      Why bother even having a firewall if you do this?

      Because you have it supported by a company that patched the flaw as soon as they realized it was there.

      • They knew all along that a device hosting a web interface that could be accessed anywhere was not secure.

        You are insinuating that these security experts didnt know that. Not sure who is dumber... them, or you.
  • The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices

    If you're running and SQL instance on perimeter security devices you've already lost.

  • by ugen ( 93902 ) on Monday April 27, 2020 @11:29AM (#59997014)

    They have an SQL database with an interface open to *any* network at all on a *security device*? These people are maliciously incompetent.

    • by kamakazi ( 74641 )

      I am sure you are misunderstanding something here, they have a firewall device with a webUI to configure it. Obviously that webUI has to have a backend database of some sort. I am sure that the database is only accessible by the accounts built into the weUI, and only accessible from the device hosting the webUI. The problem here is not an open database. It is the people who bought the firewall device then set it up so the webUI was accessible from the outside that is the problem here. Yes, Sophos has a

  • Every database driver that I've worked with, in C, C++, Perl, PHP, C#, and others, supports parameterized queries. SQL injection has been a known class of exploits for decades. How can this still happen now?

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...