Zero-day Sophos XG Firewall vulnerability: An exploit guide for pentesters

The Sophos XG Firewall vulnerability

The Sophos XG Firewall recently had a publicly-reported zero-day vulnerability. The vulnerability in question was an SQL injection vulnerability that, if exploited, would allow code execution.

This SQL injection vulnerability was reported to the vendor after it was being exploited in the wild. The vendor received a report from a customer that the Sophos XG Firewall Management interface contained a suspicious value. Further investigation revealed that the SQL injection vulnerability was exploited to execute a chain of Linux shell scripts that eventually downloaded and executed a copy of the Asnarök Trojan.

A remote server hosting the lookalike domain performed the initial command injection. Additional malicious IP addresses and domains (including were used during the attack to pull malware droppers and modules and to perform the exfiltration of sensitive data.

Exploiting the vulnerability

Exploitation of the vulnerability in a target environment is a two-step process. A Sophos XG firewall is only exploitable if it is running a vulnerable version of the firmware and has one of several network configuration issues. If these conditions are met, the SQL injection vulnerability can be exploited.

Identifying vulnerable systems

For a system to be vulnerable to exploitation, a few preconditions must be met. These include a misconfiguration of the organization’s network and the use of a vulnerable version of the Sophos XG firewall firmware.

The SQL injection vulnerability in the Sophos XG firewall can be accessed in a few different ways. Vulnerable firewalls exposed one of the following on the WAN zone:

  • Administration interface (HTTPS admin interface)
  • User portal
  • Firewall service (e.g., SSL VPN) that shares a port with either of the previous

If a Sophos XG firewall has any of these three configuration errors, then it may be vulnerable to exploitation. The other (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Howard Poston. Read the original post at: