Sophos SFOS SQL injection vulnerability fixed
Sophos Firewall

Sophos SFOS SQL injection vulnerability fixed

Patrizio - April 27, 2020

A security issue has been reported in the Sophos Firewall OS, which has been actively exploited. Sophos has already distributed the hotfix, however firewall administrators have to change all local passwords.

What happened?

Admittedly, it is a bit confusing for the normal user if a firewall, which should protect the IT infrastructure, is itself insecure. In fact, every device that runs software has security holes. Often these have simply not yet been found.

A zero-day vulnerability was reported to Sophos by a user at 20:29 on 22 April 2020. The attack had been running for 5 hours at that time. The user noticed it because it was visible in the Admin Portal. The report to Sophos about this vulnerability was made at 10pm when the first domains were blocked. At the same time the root cause was identified and work was being developed to find a solution. On 25 April 2020 at 07:00, 63 hours after the first attacks, a hotfix was distributed to all SFOS firewalls.

This security hole made it possible for attackers over the Internet to access all local user names with the password hashes. In the worst case, someone could have gained access to the firewall. However, the password hash had to be reconstructed first. This incident again shows that it is essential to use complex, long and secure passwords!

Who's affected?

All systems on which Sophos Firewall OS (SFOS) has been installed. These can be SG appliances, XG firewalls or VMs. These systems are compromised, but this does not mean that you have been hacked. The firewalls at risk were those that were accessible from the internet via the HTTPS Admin Service or the User Portal (see the screenshot below). If an admin has changed the default setting so that a firewall service such as SSL-VPN listens on the same port as the two portals, this firewall is also affected.

What needs to be done?

The Trojan named Asnarök exploited a previously unknown (zero-day) pre-Auth SQL injection vulnerability. Sophos recommends changing all local passwords on the firewall. This means the Admin password and all other passwords of users created on the firewall itself. Users that are loaded onto the firewall from e.g. an ActiveDirctory are not affected.

  1. change admin password (superadmin password of the firewall)
  2. restart the firewall
  3. change all other local passwords

For customers with a maintenance contract, we have already ensured that all necessary steps have been taken.

  • On the screenshot you can see which checkboxes should not be activated. This opens the access from the Internet to the firewall.
  • Below you can define manual rules, so that access to the firewall is only possible from one IP, which makes access much more secure.
  • At the bottom, you can see where the admin password has to be changed.


Sophos has rolled out the hotfix, which closes the exploit, via Autoupdate. The auto-update feature is enabled by default.

All firewalls with SFOS 17.x or higher have received the patch. If your firewall is still running with version 15 or 16, it is also affected and must be updated.

More information

Those of you who read our blog frequently will know that all we spend the whole day focusing on Sophos products, services and support. Although, as the saying goes, you should never bite the hand that feeds you, we try hard not to see everything through rose-coloured glasses. We always write what we think and that can of course be critical words. So without trying to make things pretty, as always an honest feedback:

Sophos has, in our view, provided very fast and transparent information here. Many other vendors often keep a very low profile and you never really know what's happening.

Sophos, on the other hand, informed the community within a very short time with a KB and blog post, and we, as a Sophos partner, also received an email on Sunday (even in 8 times). This means that the information was first published by the manufacturer itself and not by news sites, which is not the norm.

In the Knowledge Base you get all the information about what exactly happened and how to proceed. Here in the blog are only the most important information, which many should already be enough.

Send Your Feedback

Share your thoughts about this article, your private queries are always welcome and greatly appreciated.

Send Feedback
All information are confidential

On our blog we regularly publish articles on various topics related to Sophos. To make sure you don't miss any articles, you can subscribe to our newsletter, and once a month you will receive an email with a summary of all articles published in the last 30 days.

Knowledge base

Do you need help with a Sophos product? Then maybe our free knowledge base can help you. We try to document most support requests in an article so that we can help as many people as possible.