A security issue has been reported in the Sophos Firewall OS, which has been actively exploited. Sophos has already distributed the hotfix, however firewall administrators have to change all local passwords.
Admittedly, it is a bit confusing for the normal user if a firewall, which should protect the IT infrastructure, is itself insecure. In fact, every device that runs software has security holes. Often these have simply not yet been found.
A zero-day vulnerability was reported to Sophos by a user at 20:29 on 22 April 2020. The attack had been running for 5 hours at that time. The user noticed it because it was visible in the Admin Portal. The report to Sophos about this vulnerability was made at 10pm when the first domains were blocked. At the same time the root cause was identified and work was being developed to find a solution. On 25 April 2020 at 07:00, 63 hours after the first attacks, a hotfix was distributed to all SFOS firewalls.
This security hole made it possible for attackers over the Internet to access all local user names with the password hashes. In the worst case, someone could have gained access to the firewall. However, the password hash had to be reconstructed first. This incident again shows that it is essential to use complex, long and secure passwords!
All systems on which Sophos Firewall OS (SFOS) has been installed. These can be SG appliances, XG firewalls or VMs. These systems are compromised, but this does not mean that you have been hacked. The firewalls at risk were those that were accessible from the internet via the HTTPS Admin Service or the User Portal (see the screenshot below). If an admin has changed the default setting so that a firewall service such as SSL-VPN listens on the same port as the two portals, this firewall is also affected.
What needs to be done?
The Trojan named Asnarök exploited a previously unknown (zero-day) pre-Auth SQL injection vulnerability. Sophos recommends changing all local passwords on the firewall. This means the Admin password and all other passwords of users created on the firewall itself. Users that are loaded onto the firewall from e.g. an ActiveDirctory are not affected.
- change admin password (superadmin password of the firewall)
- restart the firewall
- change all other local passwords
For customers with a maintenance contract, we have already ensured that all necessary steps have been taken.
- On the screenshot you can see which checkboxes should not be activated. This opens the access from the Internet to the firewall.
- Below you can define manual rules, so that access to the firewall is only possible from one IP, which makes access much more secure.
- At the bottom, you can see where the admin password has to be changed.
Sophos has rolled out the hotfix, which closes the exploit, via Autoupdate. The auto-update feature is enabled by default.
All firewalls with SFOS 17.x or higher have received the patch. If your firewall is still running with version 15 or 16, it is also affected and must be updated.
Those of you who read our blog frequently will know that all we spend the whole day focusing on Sophos products, services and support. Although, as the saying goes, you should never bite the hand that feeds you, we try hard not to see everything through rose-coloured glasses. We always write what we think and that can of course be critical words. So without trying to make things pretty, as always an honest feedback:
Sophos has, in our view, provided very fast and transparent information here. Many other vendors often keep a very low profile and you never really know what's happening.
Sophos, on the other hand, informed the community within a very short time with a KB and blog post, and we, as a Sophos partner, also received an email on Sunday (even in 8 times). This means that the information was first published by the manufacturer itself and not by news sites, which is not the norm.
In the Knowledge Base you get all the information about what exactly happened and how to proceed. Here in the blog are only the most important information, which many should already be enough.