CVE-2020-12271: Sophos XG Firewall Pre-Auth SQL Injection Vulnerability

Attacker Value

Very High

CVE-2020-12271: Sophos XG Firewall Pre-Auth SQL Injection Vulnerability

Description

A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords)

Add Assessment

hrbrmstr (72)

April 27, 2020 12:34pm UTC (4 years ago)•

Ratings

Attacker Value

Very High

Exploitability

Very High

Common in enterprise Unauthenticated

Technical Analysis

Vulnerability Rating/Info

I based the value and exploitability off of the Sophos vulnerability details page: https://community.sophos.com/kb/en-us/135412 / https://web.archive.org/web/20200426003614/https://community.sophos.com/kb/en-us/135412

Sophos indicates attackers have been actively compromising these appliances at least as of April 22, 2020 when at least one customer noticed odd field values in their admin console.

Given that the SQL injection can happen pre-auth, and that both the user-facing and admin-facing interfaces are vulnerable, means this is a pretty severe bug.

It appears to only provide access to usernames and hashed appliance passwords. Credential reuse is likely the culprit for at least the known successful post-SQLi compromise.

Exposure Analysis

We found over 72,000 exposed appliances. Many appear to be service provider/telecom/ISP provisioned and sitting on customer segments.

The top 20 countries (IP geolocation) make up ~80% of the exposure:

country	n	pct
United States	9126	12.54%
India	7989	10.98%
Germany	5433	7.47%
Japan	4680	6.43%
Italy	4338	5.96%
Australia	4168	5.73%
Turkey	3740	5.14%
Brazil	3526	4.85%
France	2567	3.53%
United Kingdom	1822	2.50%
South Africa	1779	2.44%
Canada	1658	2.28%
Spain	1644	2.26%
Malaysia	1496	2.06%
Switzerland	1261	1.73%
Colombia	1124	1.54%
Thailand	1087	1.49%
Netherlands	932	1.28%
Taiwan	681	0.94%
Portugal	611	0.84%

There are 2 primary externally facing HTTP paths:

Admin @ https://{host|ip}:{port}/webconsole/webpages/login.jsp
User @ https://{host|ip}:{port}/userportal/webpages/myaccount/login.jsp

I crafted a quick hack study to just see if we could get version info and we can. Sophos does the daft thing Microsoft does for OWA and refers to HTML resources by the version/build (e.g.):

<link rel="stylesheet"
      href="/themes/lite1/css/loginstylesheet.css?ver=17.5.9.577"
      type="text/css">

I’ll be doing a more thorough path study this week but we got back ~12,500 unique (by IP) responses. Here’s the breakdown (TLDR there’s a decent bit of exposure as of Sunday).

           Sophos XG Appliance Version Distribution                             
           ~65,000   Appliances   Provided   Version   Details;                 
           Only   ~25%   appear   to   be   patched   as   of   2020-04-27.     
                                                                                
                                                           # Sophos Appliances  
           0~                  5,000                10,000                15,000
5.01.0.376  x                     ~                     ~                     ~ 
5.01.0.407  x                     ~                     ~                     ~ 
5.01.0.418  x                     ~                     ~                     ~ 
5.01.0.447  x                     ~                     ~                     ~ 
6.01.0.190  x                     ~                     ~                     ~ 
6.01.1.202  xx                    ~                     ~                     ~ 
6.01.2.222  x                     ~                     ~                     ~ 
6.01.3.265  x                     ~                     ~                     ~ 
6.01.4.342  x                     ~                     ~                     ~ 
6.05.0.098  x                     ~                     ~                     ~ 
6.05.0.117  x                     ~                     ~                     ~ 
6.05.1.139  x                     ~                     ~                     ~ 
6.05.2.160  xx                    ~                     ~                     ~ 
6.05.3.183  x                     ~                     ~                     ~ 
6.05.5.233  xx                    ~                     ~                     ~ 
6.05.6.266  xx                    ~                     ~                     ~ 
6.05.7.305  xx                    ~                     ~                     ~ 
6.05.8.320  x                     ~                     ~                     ~ 
 17.0.0.32  x                     ~                     ~                     ~ 
 17.0.0.80  x                     ~                     ~                     ~ 
 17.0.1.98  x                     ~                     ~                     ~ 
17.0.2.116  xx                    ~                     ~                     ~ 
17.0.3.131  x                     ~                     ~                     ~ 
17.0.5.162  xx                    ~                     ~                     ~ 
17.0.6.181  xxxxx                 ~                     ~                     ~ 
17.0.7.191  xxxx                  ~                     ~                     ~ 
17.0.8.209  x                     ~                     ~                     ~ 
17.0.9.217  x                     ~                     ~                     ~ 
17.1.0.152  x                     ~                     ~                     ~ 
17.1.1.175  xx                    ~                     ~                     ~ 
17.1.2.225  xxxx                  ~                     ~                     ~ 
17.1.3.250  xxxxx                 ~                     ~                     ~ 
17.5.0.310  x                     ~                     ~                     ~ 
17.5.0.321  xxx                   ~                     ~                     ~ 
17.5.1.347  xxx                   ~                     ~                     ~ 
17.5.2.381  xxxxxxxxxxxxxxxxxxxxxxxxxx                  ~                     ~ 
17.5.3.372  x                     ~                     ~                     ~ 
17.5.4.429  xxxxxx                ~                     ~                     ~ 
17.5.5.433  xxxxxxxxx             ~                     ~                     ~ 
17.5.6.488  xxxxxx                ~                     ~                     ~ 
17.5.7.511  xxxxxxxxxxxxxxxxxxxxxxxxx                   ~                     ~ 
17.5.8.539  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    ~ 
7.5.10.620  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx                   ~ 
7.5.11.661  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx    ~ 
18.0.0.102  x                     ~                     ~                     ~ 
18.0.0.113  x                     ~                     ~                     ~ 
18.0.0.180  x                     ~                     ~                     ~ 
18.0.0.285  x                     ~                     ~                     ~ 
18.0.0.321  xx                    ~                     ~                     ~ 
18.0.0.339  xxxxxx                ~                     ~                     ~ 
18.0.0.354  xx                    ~                     ~                     ~ 
18.0.1.368  x                     ~                     ~                     ~ 
            ~            Source: Rapid7 Project Sonar April 2020 HTTPS Studies~

As of 2020-04-28 ~25% appliances do not leave the “auto-update hotfix” setting on.

Our blog on it: https://blog.rapid7.com/2020/04/27/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability-remediation-guidance-and-exposure-overview/ | https://web.archive.org/web/20200428094002/https://blog.rapid7.com/2020/04/27/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability-remediation-guidance-and-exposure-overview/

See More &2 repliesSee Less

hrbrmstr (72) April 27, 2020 12:49pm UTC (4 years ago)

It looks like there’s a coordinated, active campaign as well (via https://twitter.com/GossiTheDog/status/1254733650509389825?s=20 — NOTE internet archive seems to have issues with tweet archiving; as we explore making better permalinks, we need to figure that out for Tweets).

sophosfirewallupdate.com is a maldomain that has been identified in some XG log files.

hrbrmstr (72) April 28, 2020 1:48am UTC (4 years ago)•

Update for new version scan results from Monday (04-27).

Over 65K nodes found on the internet giving up version #s.

vers	n
17.5.11.661	13794
17.5.9.577	13755
17.5.10.620	10535
17.5.3.372	5610
17.5.8.539	5414
17.5.7.511	2350
17.5.5.433	1856
17.5.6.488	1173
18.0.0.354	1088
17.5.4.429	991
17.0.6.181	797
17.1.4.254	783
17.1.3.250	719
17.0.8.209	626
17.5.0.321	492
17.1.2.225	490
17.5.1.347	385
17.1.1.175	303
18.0.1.367	218
18.0.0.339	193
17.0.5.162	192
16.05.5.233	182
16.05.8.320	167
17.0.3.131	160
16.05.6.266	145
16.01.1.202	118
16.05.3.183	117
16.05.7.305	108
18.0.0.321	100
17.0.2.116	82
17.0.0.80	72
16.05.9.331	70
16.05.4.215	68
17.5.0.310	59
17.0.1.98	56
16.01.2.222	51
18.0.0.285	50
17.5.4.409	46
17.0.4.144	44
16.01.3.265	40
15.01.0.447	38
17.0.9.217	37
16.05.1.139	33
16.05.2.160	24
15.01.0.376	23
16.05.0.117	22
17.1.0.152	22
18.0.0.255	17
17.0.7.191	11
17.5.2.381	11
15.01.0.418	10
15.01.0.407	9
17.0.10.240	8
18.0.0.180	4
16.01.0.144	2
16.01.0.190	1
16.01.4.342	1
16.01.5.353	1
16.05.0.098	1
17.0.0.32	1
18.0.0.102	1
18.0.0.113	1
18.0.1.368	1

busterb (317)

April 29, 2020 1:24pm UTC (4 years ago)•

Ratings

Attacker Value

Very High

Easy to weaponize Vulnerable in default configuration

Technical Analysis

The sophos subreddit reveals some insight on why these firewalls were listening on their WAN ports in the first place. In addition the the admin interface, there’s a ‘user portal’ you can enabled, and even that may not be required for exploitation at least anecdotally:

https://www.reddit.com/r/sophos/comments/g7x3n9/xg_firewall_vulnerability_notification_action/
https://www.reddit.com/r/sophos/comments/g7tax1/sophos_xg_sql_injection_attack_kb135412_released/

Kind of a smart (and annoying for security analysis :) move for Sophos is they made getting the old software near impossible as soon as they found out about the problem. Contrast with Citrix, which left vulnerable versions of Netscaler up in AWS and other locations available for download long after mass-exploitation had started. Handy for research, but a lot of folks also continued to be popped long after the info was public

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Exploited in the Wild

Reported by:

AttackerKB Worker

Reported: September 25, 2020 8:39pm UTC (4 years ago)

gwillcox-r7 indicated sources as

Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
News Article or Blog (https://codewhitesec.blogspot.com/2020/07/sophos-xg-tale-of-unfortunate-re.html)
Other: Tenable Exploited In The Wild Analysis (https://www.tenable.com/blog/cve-2020-12271-zero-day-sql-injection-vulnerability-in-sophos-xg-firewall-exploited-in-the-wild)

Reported: November 03, 2021 8:40pm UTC (3 years ago)

ccondon-r7 indicated source as News Article or Blog (https://news.sophos.com/en-us/2024/10/31/pacific-rim-timeline/)

Reported: November 14, 2024 11:49am UTC (1 week ago)

References

Rapid7

March 29, 2021 5:29pm UTC (3 years ago)• Last updated March 29, 2021 5:50pm UTC (3 years ago)

Technical Analysis

Description

On April 25, 2020, Sophos published a blog post on, CVE-2020-12271, a pre-authentication SQL injection zero-day vulnerability that leads to remote code execution in Sophos XG Firewalls. Systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone are affected. CVE-2020-12271 carries a CVSSv3 base score of 10.

Code White Security has released a detailed article on the reverse engineering efforts that went into analyzing the attack. Rapid7 researchers have observed many vulnerable instances of XG Firewall that are exposed to the public internet, in the following report, despite the patch being available; we recommend organizations take immediate action in light of previous exploitation.

Affected products

The following major versions of Sophos XG Firewall are affected:

17.0 17.1 17.5 18.0
The following versions of Sophos XG Firewall have the hotfix applied:
Sophos XG Firewall 17.0.10.240 17.1.4.254 17.5.11.661 18.0.0.379

Rapid7 analysis

On April 22, 2020 a suspicious field value in an XG Firewall management interface was reported to Sophos. This led to the discovery of a campaign leveraging CVE-2020-12271, a new zero-day vulnerability. The campaign used the SQL injection to run a wget command to download malware that would install itself and perform a number of functions including: connect back to a C2 domain; ensure persistence on reboot; and exfiltrate usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access. CVE-2020-12271 is confirmed to be exploited in the wild and poses an ongoing threat to organizations. This SQL injection vulnerability has been found in customized malware used to compromise physical and virtual XG devices. The vulnerable code exists in all supported versions of XG Firewall—since the hotfix was also made available to unsupported SFOS v16 and v16.5 devices, the vulnerability was introduced as early as SFOS v16.

Guidance

Sophos XG Firewall customers who have have disabled “Allow automatic installation of hotfixes”, please reference the following KBA for instructions on how to apply the required hotfix.

Very High