Very High
CVE-2020-12271: Sophos XG Firewall Pre-Auth SQL Injection Vulnerability
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-12271: Sophos XG Firewall Pre-Auth SQL Injection Vulnerability
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords)
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
Vulnerability Rating/Info
I based the value and exploitability off of the Sophos vulnerability details page: https://community.sophos.com/kb/en-us/135412 / https://web.archive.org/web/20200426003614/https://community.sophos.com/kb/en-us/135412
Sophos indicates attackers have been actively compromising these appliances at least as of April 22, 2020 when at least one customer noticed odd field values in their admin console.
Given that the SQL injection can happen pre-auth, and that both the user-facing and admin-facing interfaces are vulnerable, means this is a pretty severe bug.
It appears to only provide access to usernames and hashed appliance passwords. Credential reuse is likely the culprit for at least the known successful post-SQLi compromise.
Exposure Analysis
We found over 72,000 exposed appliances. Many appear to be service provider/telecom/ISP provisioned and sitting on customer segments.
The top 20 countries (IP geolocation) make up ~80% of the exposure:
country | n | pct |
---|---|---|
United States | 9126 | 12.54% |
India | 7989 | 10.98% |
Germany | 5433 | 7.47% |
Japan | 4680 | 6.43% |
Italy | 4338 | 5.96% |
Australia | 4168 | 5.73% |
Turkey | 3740 | 5.14% |
Brazil | 3526 | 4.85% |
France | 2567 | 3.53% |
United Kingdom | 1822 | 2.50% |
South Africa | 1779 | 2.44% |
Canada | 1658 | 2.28% |
Spain | 1644 | 2.26% |
Malaysia | 1496 | 2.06% |
Switzerland | 1261 | 1.73% |
Colombia | 1124 | 1.54% |
Thailand | 1087 | 1.49% |
Netherlands | 932 | 1.28% |
Taiwan | 681 | 0.94% |
Portugal | 611 | 0.84% |
There are 2 primary externally facing HTTP paths:
- Admin @
https://{host|ip}:{port}/webconsole/webpages/login.jsp
- User @
https://{host|ip}:{port}/userportal/webpages/myaccount/login.jsp
I crafted a quick hack study to just see if we could get version info and we can. Sophos does the daft thing Microsoft does for OWA and refers to HTML resources by the version/build (e.g.):
<link rel="stylesheet" href="/themes/lite1/css/loginstylesheet.css?ver=17.5.9.577" type="text/css">
I’ll be doing a more thorough path study this week but we got back ~12,500 unique (by IP) responses. Here’s the breakdown (TLDR there’s a decent bit of exposure as of Sunday).
Sophos XG Appliance Version Distribution ~65,000 Appliances Provided Version Details; Only ~25% appear to be patched as of 2020-04-27. # Sophos Appliances 0~ 5,000 10,000 15,000 5.01.0.376 x ~ ~ ~ 5.01.0.407 x ~ ~ ~ 5.01.0.418 x ~ ~ ~ 5.01.0.447 x ~ ~ ~ 6.01.0.190 x ~ ~ ~ 6.01.1.202 xx ~ ~ ~ 6.01.2.222 x ~ ~ ~ 6.01.3.265 x ~ ~ ~ 6.01.4.342 x ~ ~ ~ 6.05.0.098 x ~ ~ ~ 6.05.0.117 x ~ ~ ~ 6.05.1.139 x ~ ~ ~ 6.05.2.160 xx ~ ~ ~ 6.05.3.183 x ~ ~ ~ 6.05.5.233 xx ~ ~ ~ 6.05.6.266 xx ~ ~ ~ 6.05.7.305 xx ~ ~ ~ 6.05.8.320 x ~ ~ ~ 17.0.0.32 x ~ ~ ~ 17.0.0.80 x ~ ~ ~ 17.0.1.98 x ~ ~ ~ 17.0.2.116 xx ~ ~ ~ 17.0.3.131 x ~ ~ ~ 17.0.5.162 xx ~ ~ ~ 17.0.6.181 xxxxx ~ ~ ~ 17.0.7.191 xxxx ~ ~ ~ 17.0.8.209 x ~ ~ ~ 17.0.9.217 x ~ ~ ~ 17.1.0.152 x ~ ~ ~ 17.1.1.175 xx ~ ~ ~ 17.1.2.225 xxxx ~ ~ ~ 17.1.3.250 xxxxx ~ ~ ~ 17.5.0.310 x ~ ~ ~ 17.5.0.321 xxx ~ ~ ~ 17.5.1.347 xxx ~ ~ ~ 17.5.2.381 xxxxxxxxxxxxxxxxxxxxxxxxxx ~ ~ 17.5.3.372 x ~ ~ ~ 17.5.4.429 xxxxxx ~ ~ ~ 17.5.5.433 xxxxxxxxx ~ ~ ~ 17.5.6.488 xxxxxx ~ ~ ~ 17.5.7.511 xxxxxxxxxxxxxxxxxxxxxxxxx ~ ~ 17.5.8.539 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~ 7.5.10.620 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~ 7.5.11.661 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~ 18.0.0.102 x ~ ~ ~ 18.0.0.113 x ~ ~ ~ 18.0.0.180 x ~ ~ ~ 18.0.0.285 x ~ ~ ~ 18.0.0.321 xx ~ ~ ~ 18.0.0.339 xxxxxx ~ ~ ~ 18.0.0.354 xx ~ ~ ~ 18.0.1.368 x ~ ~ ~ ~ Source: Rapid7 Project Sonar April 2020 HTTPS Studies~
As of 2020-04-28 ~25% appliances do not leave the “auto-update hotfix” setting on.
Our blog on it: https://blog.rapid7.com/2020/04/27/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability-remediation-guidance-and-exposure-overview/ | https://web.archive.org/web/20200428094002/https://blog.rapid7.com/2020/04/27/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability-remediation-guidance-and-exposure-overview/
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery High
Technical Analysis
The sophos subreddit reveals some insight on why these firewalls were listening on their WAN ports in the first place. In addition the the admin interface, there’s a ‘user portal’ you can enabled, and even that may not be required for exploitation at least anecdotally:
https://www.reddit.com/r/sophos/comments/g7x3n9/xg_firewall_vulnerability_notification_action/
https://www.reddit.com/r/sophos/comments/g7tax1/sophos_xg_sql_injection_attack_kb135412_released/
Kind of a smart (and annoying for security analysis :) move for Sophos is they made getting the old software near impossible as soon as they found out about the problem. Contrast with Citrix, which left vulnerable versions of Netscaler up in AWS and other locations available for download long after mass-exploitation had started. Handy for research, but a lot of folks also continued to be popped long after the info was public
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- sophos
Products
- sfos 17.0,
- sfos 17.1,
- sfos 17.5,
- sfos 18.0
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this report- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- News Article or Blog (https://codewhitesec.blogspot.com/2020/07/sophos-xg-tale-of-unfortunate-re.html)
- Other: Tenable Exploited In The Wild Analysis (https://www.tenable.com/blog/cve-2020-12271-zero-day-sql-injection-vulnerability-in-sophos-xg-firewall-exploited-in-the-wild)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Government Or Industry Alert
Additional Info
Technical Analysis
Description
On April 25, 2020, Sophos published a blog post on, CVE-2020-12271, a pre-authentication SQL injection zero-day vulnerability that leads to remote code execution in Sophos XG Firewalls. Systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone are affected. CVE-2020-12271 carries a CVSSv3 base score of 10.
Code White Security has released a detailed article on the reverse engineering efforts that went into analyzing the attack. Rapid7 researchers have observed many vulnerable instances of XG Firewall that are exposed to the public internet, in the following report, despite the patch being available; we recommend organizations take immediate action in light of previous exploitation.
Affected products
The following major versions of Sophos XG Firewall are affected:
- 17.0 17.1 17.5 18.0
The following versions of Sophos XG Firewall have the hotfix applied:
- Sophos XG Firewall 17.0.10.240 17.1.4.254 17.5.11.661 18.0.0.379
Rapid7 analysis
On April 22, 2020 a suspicious field value in an XG Firewall management interface was reported to Sophos. This led to the discovery of a campaign leveraging CVE-2020-12271, a new zero-day vulnerability. The campaign used the SQL injection to run a wget
command to download malware that would install itself and perform a number of functions including: connect back to a C2 domain; ensure persistence on reboot; and exfiltrate usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access. CVE-2020-12271 is confirmed to be exploited in the wild and poses an ongoing threat to organizations. This SQL injection vulnerability has been found in customized malware used to compromise physical and virtual XG devices. The vulnerable code exists in all supported versions of XG Firewall—since the hotfix was also made available to unsupported SFOS v16 and v16.5 devices, the vulnerability was introduced as early as SFOS v16.
Guidance
Sophos XG Firewall customers who have have disabled “Allow automatic installation of hotfixes”, please reference the following KBA for instructions on how to apply the required hotfix.
References
- https://www.sophos.com/en-us.aspx
- https://support.sophos.com/support/s/article/KB-000039388?language=en_US
- https://attackerkb.com/topics/CkJJPr77qk/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability
- https://community.sophos.com/kb/en-us/135415
- https://codewhitesec.blogspot.com/2020/07/sophos-xg-tale-of-unfortunate-re.html
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
It looks like there’s a coordinated, active campaign as well (via https://twitter.com/GossiTheDog/status/1254733650509389825?s=20 — NOTE internet archive seems to have issues with tweet archiving; as we explore making better permalinks, we need to figure that out for Tweets).
sophosfirewallupdate.com
is a maldomain that has been identified in some XG log files.Update for new version scan results from Monday (04-27).
Over 65K nodes found on the internet giving up version #s.