Sophos Discovers and Patches Actively Exploited Flaw in its XG Firewall

Sophos has released a patch for a zero-day vulnerability in its XG Firewall which has been exploited in attacks to deliver malware. The flaw was discovered by Sophos on April 22, when an anomalous field value was discovered in the management interface of the Firewall.

The investigation uncovered a previously unknown SQL injection vulnerability that had been exploited on some virtual and physical firewalls. Sophos reports that several of its customers have been targeted, but the exact number of victims is not known. The victims all had either the administrative service or user portal of their firewall exposed to the Internet, which allowed the flaw to be exploited remotely.

The attackers exploited the flaw and attempted to download malware that would send back data from the firewall such as usernames and password hashes for local device administrators, portal admins and remote user accounts, but it would not have allowed attackers to gain access to the credentials of external authentication systems such as Active Directory or LDAP. Sophos said the malware used in the attacks was called Asnarok, but it is unclear which threat group conducted the attack. Sophos has not found evidence to suggest that the attacks allowed firewall data to be exfiltrated; however, even if data was not exfiltrated, it could have been viewed by the attackers.

According to a Sunday Sophos blog post, the flaw was exploited to insert a single line of code into the firewall database, which downloaded a Linux shell script called from a remote server. Postgres SQL commands were then executed to drop further files into the virtual file system. These commands were performed to try to achieve persistence after a reboot, to create a backup channel, and to conceal the attack. Sophos explained that the attempts to conceal the attack did not work on some appliances. While the aim appeared to be to zero out values in certain tables in the database, including one that usually displays the administrative IP address of the firewall device, the attacker’s injected shell commands were displayed in the user interface of the firewall’s administrative panel.

Sophos corrected the flaw with a SFOS hotfix that was rolled out on April 25. After applying the hotfix, administrators will be informed if their firewall was one of those that was attacked. In such cases, an alert will be generated that states “Hotfix applied for SQL injection and partially cleaned.” In such cases, password resets will need to be performed for the portal administrator and device administrator accounts, the XG device must then be rebooted, and all local user account passwords must then be reset. In cases where there has been password reuse on other platforms, those passwords should also be reset as a precaution. If passwords were obtained, they would have been hashed, but it is possible that the passwords could be discovered and used in further attacks. If the firewall has not been attacked, simply applying the hotfix is all that is required.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of