Applies to the following Sophos products and versions Sophos Firewall What to do This behavior was recently corrected and the service is now disabled when it’s not needed. The next MR release (SFOS v18 MR1-1) will fix the erroneous UI alert on the Control Center dashboard and can be ignored in the meantime. V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 3 AP55s and 2 APX120s having a holiday until software update is released. If a post solves your question use the ' This helped me ' link. This article lists all supported software versions on Sophos network security hardware. V16.05 MR1: Latest V18: Latest V18: XG 750: 1: N/A: N/A: N/A: V15.01.0.
Upgrading to V18-MR1 manually from 17.5.13. Posted by 7 months ago. Upgrading to V18-MR1 manually from 17.5.13. On my Sophos XG web portal, I have replaced the certificate to one I have purchased from GoDaddy to avoid the browser webpage cert warnings, on that topic I also noticed that there was an option to.
A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely. The fix is built into the re-release of XG Firewall v18 MR-1 (named MR-1-Build396) and the v17.5 MR13 release. All other versions >= 17.0 have received a hotfix.
Sophos XG Firewall v18.0 MR1 and older.
Multiple Vulnerabilities in Mozilla Firefox and Thunderbird Could Allow for Arbitrary Code Execution
21 Apr 2021 - Security Advisories & Alerts
[German]After experiencing issues with Sophos XG Firewall v18 MR1, the software has been pulled. And now there are reports that the Sophos XG Firewall is being attacked via 0-day exploits. Sophos has released an emergency patch to close the vulnerability. Here is some information about this ‘drama’ and the attack.
The trouble with the Sophos XG Firewall update
First a short review. A few weeks ago the company released firmware updates for Sophos UTM to version 9.703, as well as an update for the Sophos XG Firewall v18 MR1. In mid-April 2020 I had pointed out in the blog post Stop: Don’t install Sophos UTM 9.703 Firmware that this update should not be installed due to serious issues. Sophos then had to withdraw this firmware for the Sophos UTM.
The German edition of the above blog post was commented on by blog reader Matthias Gutowsky (thank you for that), pointing out that the same problem exists with the Sophos XG Firewall. In this Sophos Community post, dated from April 14, 2020, it was noted that Sophos XG Firewall v18 MR1 had also been withdrawn and that a new version was being worked on. But the trouble continued.
Sophos XG firewall under attack
At the weekend I already saw the following tweet from Catalin Cimpanu, pointing to an article at ZDNet with details about the attack.
BREAKING: Hackers are exploiting a Sophos firewall zero-day
– Attacks detected on Wednesday
– Hackers exploited an SQLi to steal device data (creds)
– Patch pushed out earlier today
– Patch also removes artifacts from compromised XG firewall systemshttps://t.co/RSeABqz7jcpic.twitter.com/c971ypwgao
— Catalin Cimpanu (@campuscodi) April 26, 2020
Also Bleeping Computer has published this article about the 0-day exploit and the attacks. In a security advisory 135412 Sophos says, that that on April 22, 2020 at 20:29 UTC a report was received about a strange behavior of an XG firewall. Its management interface suddenly showed a suspicious field value.
Unknown SQL injection vulnerability exploited
The investigation made by Sophos has identified the incident as an attack on XG physical and virtual firewall units.
- The attack affected systems configured with either the management interface (HTTPS administration service) or the user portal exposed in the WAN zone.
- It also affected firewalls that were manually configured to expose a firewall service (such as SSL VPN) in the WAN zone that uses the same port as the management or user portal.
The default configuration of the XG firewall, on the other hand, requires that all services operate on unique ports. The attack used a previously unknown pre-authentic SQL injection vulnerability to gain access to exposed XG devices. The aim of the exploit is to exfiltrate data resident on the XG firewall.
The data exfiltrated for each affected firewall includes all local user names and hashed passwords of all local user accounts. For example, local device administrators, user portal accounts, and accounts used for remote access. Sophos has published this blog post with more information about this attack.
Sophos Xg Firewall 18 Mr1
Note: Passwords associated with external authentication systems such as Active Directory (AD) or LDAP have not been compromised
Sophos Xg V18 Mr1 Download
Sophos distributes emergency patch
After determining the components and effects of the attack, Sophos provided a hotfix for all supported XG firewall/SFOS versions. This hotfix should have already been applied to all affected devices with auto-update enabled. The hotfix addressed the SQL injection vulnerability and was intended to prevent further 0-day exploit and attacker access to the infrastructure via XG firewall. At the same time, the hotfix was intended to clean up any remnants of the attack.
Note: If the “Allow automatic installation of hotfixes” option is disabled, see KB 135415 for instructions on how to apply the required hotfix.
Is Sophos XG Firewall compromised?
In a Security Advisory, Sophos gives some advice on how administrators can detect if the XG firewall is compromised. The XG firewall hotfix applied by Sophos includes a message in the XG management interface, indicating whether or not a particular XG firewall was affected by this attack. If the hotfix is installed, an uncompromised Sophos XG firewall will display the message below.
(Alert on XG-Firewall, Source: Sophos, Click to zoom)
If the hotfix was successfully installed and the firewall was compromised, the following message should appear in the Control center.
Sophos Xg 18 Mr1 Download
(Compromised Sophos XG-Firewall, Source: Sophos, Click to zoom)
Customers with compromised firewalls should respond and reboot their XG devices. In addition, the passwords of all local user accounts should be changed. Details can be found in this Sophos advisory.
Stop: Don’t install Sophos UTM 9.703 Firmware
Revised Firmware update Sophos UTM 9.703-3 released
Sophos Xg 18 Mr 1