Attacker Value
Very High
(2 users assessed)
Exploitability
Very High
(2 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
4

CVE-2020-12271: Sophos XG Firewall Pre-Auth SQL Injection Vulnerability

Disclosure Date: April 27, 2020
Exploited in the Wild
Reported by AttackerKB Worker
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords)

Add Assessment

3
Ratings
Technical Analysis

The sophos subreddit reveals some insight on why these firewalls were listening on their WAN ports in the first place. In addition the the admin interface, there’s a ‘user portal’ you can enabled, and even that may not be required for exploitation at least anecdotally:

https://www.reddit.com/r/sophos/comments/g7x3n9/xg_firewall_vulnerability_notification_action/
https://www.reddit.com/r/sophos/comments/g7tax1/sophos_xg_sql_injection_attack_kb135412_released/

Kind of a smart (and annoying for security analysis :) move for Sophos is they made getting the old software near impossible as soon as they found out about the problem. Contrast with Citrix, which left vulnerable versions of Netscaler up in AWS and other locations available for download long after mass-exploitation had started. Handy for research, but a lot of folks also continued to be popped long after the info was public

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Exploited in the Wild

Reported by:
Reported: September 25, 2020 8:39pm UTC (6 months ago)

Additional Info

Technical Analysis

Description

On April 25, 2020, Sophos published a blog post on, CVE-2020-12271, a pre-authentication SQL injection zero-day vulnerability that leads to remote code execution in Sophos XG Firewalls. Systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone are affected. CVE-2020-12271 carries a CVSSv3 base score of 10.

Code White Security has released a detailed article on the reverse engineering efforts that went into analyzing the attack. Rapid7 researchers have observed many vulnerable instances of XG Firewall that are exposed to the public internet, in the following report, despite the patch being available; we recommend organizations take immediate action in light of previous exploitation.

Affected products

The following major versions of Sophos XG Firewall are affected:

  • 17.0 17.1 17.5 18.0
    The following versions of Sophos XG Firewall have the hotfix applied:
  • Sophos XG Firewall 17.0.10.240 17.1.4.254 17.5.11.661 18.0.0.379

Rapid7 analysis

On April 22, 2020 a suspicious field value in an XG Firewall management interface was reported to Sophos. This led to the discovery of a campaign leveraging CVE-2020-12271, a new zero-day vulnerability. The campaign used the SQL injection to run a wget command to download malware that would install itself and perform a number of functions including: connect back to a C2 domain; ensure persistence on reboot; and exfiltrate usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access. CVE-2020-12271 is confirmed to be exploited in the wild and poses an ongoing threat to organizations. This SQL injection vulnerability has been found in customized malware used to compromise physical and virtual XG devices. The vulnerable code exists in all supported versions of XG Firewall—since the hotfix was also made available to unsupported SFOS v16 and v16.5 devices, the vulnerability was introduced as early as SFOS v16.

Guidance

Sophos XG Firewall customers who have have disabled “Allow automatic installation of hotfixes”, please reference the following KBA for instructions on how to apply the required hotfix.

References