[German]After experiencing issues with Sophos XG Firewall v18 MR1, the software has been pulled. And now there are reports that the Sophos XG Firewall is being attacked via 0-day exploits. Sophos has released an emergency patch to close the vulnerability. Here is some information about this ‘drama’ and the attack.
Sophos UTM (formerly Astaro Security Gateway) Find your product Software/Virtual Appliance. Quick Start Guide. SG Series Hardware Appliances 105/115/125/135 Rev. Quick Start Guide (contains English, German, Japanese and Simplified Chinese version) Operating Instructions (English) Mounting Instructions Rackmount Kit SG 105. GoToMeeting, Zoom, TeamViewer, RMM Tools, Slack just to name a few. For most issues, a thread on the forums can be found from other people that have experienced the same issue. I just prefer if Sophos made some efforts to have a more 'official' exception list that will fix some of those known problems.
The trouble with the Sophos XG Firewall update
First a short review. A few weeks ago the company released firmware updates for Sophos UTM to version 9.703, as well as an update for the Sophos XG Firewall v18 MR1. In mid-April 2020 I had pointed out in the blog post Stop: Don’t install Sophos UTM 9.703 Firmware that this update should not be installed due to serious issues. Sophos then had to withdraw this firmware for the Sophos UTM.
The German edition of the above blog post was commented on by blog reader Matthias Gutowsky (thank you for that), pointing out that the same problem exists with the Sophos XG Firewall. In this Sophos Community post, dated from April 14, 2020, it was noted that Sophos XG Firewall v18 MR1 had also been withdrawn and that a new version was being worked on. But the trouble continued.
Sophos XG firewall under attack
At the weekend I already saw the following tweet from Catalin Cimpanu, pointing to an article at ZDNet with details about the attack.
BREAKING: Hackers are exploiting a Sophos firewall zero-day
– Attacks detected on Wednesday
– Hackers exploited an SQLi to steal device data (creds)
– Patch pushed out earlier today
– Patch also removes artifacts from compromised XG firewall systemshttps://t.co/RSeABqz7jcpic.twitter.com/c971ypwgao
— Catalin Cimpanu (@campuscodi) April 26, 2020
Also Bleeping Computer has published this article about the 0-day exploit and the attacks. In a security advisory 135412 Sophos says, that that on April 22, 2020 at 20:29 UTC a report was received about a strange behavior of an XG firewall. Its management interface suddenly showed a suspicious field value.
Unknown SQL injection vulnerability exploited
The investigation made by Sophos has identified the incident as an attack on XG physical and virtual firewall units.
- The attack affected systems configured with either the management interface (HTTPS administration service) or the user portal exposed in the WAN zone.
- It also affected firewalls that were manually configured to expose a firewall service (such as SSL VPN) in the WAN zone that uses the same port as the management or user portal.
The default configuration of the XG firewall, on the other hand, requires that all services operate on unique ports. The attack used a previously unknown pre-authentic SQL injection vulnerability to gain access to exposed XG devices. The aim of the exploit is to exfiltrate data resident on the XG firewall.
The data exfiltrated for each affected firewall includes all local user names and hashed passwords of all local user accounts. For example, local device administrators, user portal accounts, and accounts used for remote access. Sophos has published this blog post with more information about this attack.
Note: Passwords associated with external authentication systems such as Active Directory (AD) or LDAP have not been compromised
Sophos distributes emergency patch
After determining the components and effects of the attack, Sophos provided a hotfix for all supported XG firewall/SFOS versions. This hotfix should have already been applied to all affected devices with auto-update enabled. The hotfix addressed the SQL injection vulnerability and was intended to prevent further 0-day exploit and attacker access to the infrastructure via XG firewall. At the same time, the hotfix was intended to clean up any remnants of the attack.
Note: If the “Allow automatic installation of hotfixes” option is disabled, see KB 135415 for instructions on how to apply the required hotfix.
Is Sophos XG Firewall compromised?
In a Security Advisory, Sophos gives some advice on how administrators can detect if the XG firewall is compromised. The XG firewall hotfix applied by Sophos includes a message in the XG management interface, indicating whether or not a particular XG firewall was affected by this attack. If the hotfix is installed, an uncompromised Sophos XG firewall will display the message below.
(Alert on XG-Firewall, Source: Sophos, Click to zoom)
If the hotfix was successfully installed and the firewall was compromised, the following message should appear in the Control center.
(Compromised Sophos XG-Firewall, Source: Sophos, Click to zoom)
Customers with compromised firewalls should respond and reboot their XG devices. In addition, the passwords of all local user accounts should be changed. Details can be found in this Sophos advisory.
Stop: Don’t install Sophos UTM 9.703 Firmware
Revised Firmware update Sophos UTM 9.703-3 released
This article describes how to configure download throttling on the Sophos UTM to maintain Quality of Service (QoS). If you want to set up limit bandwidth for certain applications, download throttling of each user, … so it is necessary choice.
WHAT TO DO:
Step 1: Login the Sophos UTM WebAdmin, go to ‘Interfaces & Routing’ >> ‘Quality of Service (QoS)’ >> ‘Traffic Selectors’ and click the ‘New Traffic Selector’ button:
configure the traffic selector as bellows and then click ‘Save’ button:
- Name: Enter a descriptive name for this traffic selector.
- Selector type: You can define the following types:
- Traffic selector: Using a traffic selector, traffic will be shaped based on a single service or a service group.
- Application selector: Using an application selector, traffic will be shaped based on applications, i.e. which traffic belongs to which application, independent from the port or service used.
- Group: You can group different service and application selectors into one traffic selector rule. To define a group, there must be some already defined single selectors.
- Source: Select the source network for which you want to enable QoS.
- Service: Only with Traffic selector. Select the network service for which you want to enable QoS. You can select among various predefined services and service groups. For example, select VoIP protocols (SIP and H.323) if you want to reserve a fixed bandwidth for VoIP connections.
- Destination: Select the destination network for which you want to enable QoS.
- Control by: Only with Application selector. Select whether to shape traffic based on its application type or by a dynamic filter based on categories.
- Applications: The traffic is shaped application-based. Select one or more applications in the box Control these applications.
- Dynamic filter: The traffic is shaped category-based. Select one or more categories in the box Control these categories.
- Control these applications/categories: Only with Application selector. Click the Folder icon to select applications/categories. A dialog window opens, which is described in detail in the next section.
- Productivity: Only with Dynamic filter. Reflects the productivity score you have chosen.
- Risk: Only with Dynamic filter. Reflects the risk score you have chosen.
Step 2: Go to ‘Interfaces & Routing’ >> ‘Quality of service (QoS)’ >> ‘Download Throttling’ >> ‘New Download Throttling rule’ button:
Configure the rule as bellows and then click ‘Save’ button:
- Name: Enter a descriptive name for this download throttling rule.
- Position: The position number, defining the priority of the rule. Lower numbers have higher priority. Rules are matched in ascending order. Once a rule has matched, rules with a higher number will not be evaluated anymore. Place the more specific rules at the top of the list to make sure that more vague rules match last.
- Limit (kbit/s): The upper limit (in Kbit) for the specified traffic. For example, if you want to limit the rate to 1 Mbit/s for a particular type of traffic, enter 1024.
- Limit: Combination of traffic source and destination where the above defined limit should apply:
- shared: The limit is equally distributed between all existing connections. I.e., the overall download rate of the traffic defined by this rule is limited to the specified value.
- each source address: The limit applies to each particular source address.
- each destination address: The limit applies to each particular destination address.
- each source/destination: The limit applies to each particular pair of source or destination address.
- Traffic selectors: Select the traffic selectors for which you want to throttle the download rates. The defined limit will be divided between the selected traffic selectors.
- Comment (optional): Add a description or other information.
Step 3: Enable the Rule
- On the ‘Download Throttling’ tab click the toggle-switch as shown below for the required rule to enable it
- Move to the ‘Quality of Service (QoS)’ ‘Status’ tab and activate which interfaces the QoS rule applies to as you can see in the following screenshot.
Zoom.us Sophos Utm
Step 4: Check the result
Zoom Sophos Utm Download
Done! Hope this article might help you … thank you!