Zero-day Sophos XG Firewall vulnerability: An exploit guide for pentesters

by Howard Poston on September 24, 2020

The Sophos XG Firewall vulnerability

The Sophos XG Firewall recently had a publicly-reported zero-day vulnerability. The vulnerability in question was an SQL injection vulnerability that, if exploited, would allow code execution.

This SQL injection vulnerability was reported to the vendor after it was being exploited in the wild. The vendor received a report from a customer that the Sophos XG Firewall Management interface contained a suspicious value. Further investigation revealed that the SQL injection vulnerability was exploited to execute a chain of Linux shell scripts that eventually downloaded and executed a copy of the Asnarök Trojan.

A remote server hosting the lookalike domain sophosfirewallupdate.com performed the initial command injection. Additional malicious IP addresses and domains (including sophosproductupdate.com) were used during the attack to pull malware droppers and modules and to perform the exfiltration of sensitive data.

Exploiting the vulnerability

Exploitation of the vulnerability in a target environment is a two-step process. A Sophos XG firewall is only exploitable if it is running a vulnerable version of the firmware and has one of several network configuration issues. If these conditions are met, the SQL injection vulnerability can be exploited.

Sponsorships Available

Identifying vulnerable systems

For a system to be vulnerable to exploitation, a few preconditions must be met. These include a misconfiguration of the organization’s network and the use of a vulnerable version of the Sophos XG firewall firmware.

The SQL injection vulnerability in the Sophos XG firewall can be accessed in a few different ways. Vulnerable firewalls exposed one of the following on the WAN zone: