Sophos Releases Emergency Patch for XG enterprise firewall product to Fix SQL Injection


Sophos releases an emergency patch to repair the widely exploited SQL injection bug affecting its XG Firewall software. Get to know about free online sql injection scanner here.

Cyber-security company Sophos released Saturday an emergency security update to fix a zero-day vulnerability in its XG enterprise firewall software that hackers exploited in the wild.

Sophos said on late Wednesday, April 22, it first heard of the zero-day after receiving a message from one of its clients. The customer reported seeing  “a suspicious field value visible in the management interface.” Sophos concluded this was an aggressive attack after reviewing the complaint, and not a mistake in its product.

“The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices,” Sophos said in a security advisory today.

Hackers attacked Sophos XG Firewall devices which were exposed on the internet to their administration (HTTPS service) or the user portal control panel.

Sophos said the hackers were using the vulnerability of SQL injection to download a payload to their computer. The payload then stole XG Firewall files.

The data stolen could include usernames and hashed passwords for firewall system administrators, firewall portal administrators, and user accounts used for remote system access.

Sophos said passwords for other external authentication schemes for customers, such as AD or LDAP, were unaffected.

The company said no evidence was found during its investigation that hackers used the stolen passwords to access XG Firewall apps, or anything outside the firewall, on internal networks of their customers.

The UK company, famous for its antivirus software, said it had already prepared and pushed an automatic update to patch all XG firewalls that have allowed the auto-update feature.

“This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack,” it said.

A select box in the XG Firewall control panel will also be added to the security update to let system owners know if their system was compromised.

To organizations that have compromised computers, Sophos suggests a series of steps that include password resets and system reboots:

  • Restore portal administrator and server administrator accounts
  • Reboot XG device(s)
  • Restore passwords for all local user accounts
  • While passwords have been hashed, it is recommended that passwords be reset for any accounts that may have XG credentials.

Instructions to deactivate the WAN interface control panel can be found here.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.