AttackerKBAKB:75221F03-CFA1-478E-9777-568E523E3272CVE-2020-12271: Sophos XG Firewall Pre-Auth SQL Injection Vulnerability
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%
A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 before 2020-04-25 on Sophos XG Firewall devices, as exploited in the wild in April 2020. This affected devices configured with either the administration (HTTPS) service or the User Portal exposed on the WAN zone. A successful attack may have caused remote code execution that exfiltrated usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access (but not external Active Directory or LDAP passwords)
Recent assessments:
hrbrmstr at April 27, 2020 12:34pm UTC reported:
Vulnerability Rating/Info
I based the value and exploitability off of the Sophos vulnerability details page: <https://community.sophos.com/kb/en-us/135412> / <https://web.archive.org/web/20200426003614/https://community.sophos.com/kb/en-us/135412>
Sophos indicates attackers have been actively compromising these appliances at least as of April 22, 2020 when at least one customer noticed odd field values in their admin console.
Given that the SQL injection can happen pre-auth, and that both the user-facing and admin-facing interfaces are vulnerable, means this is a pretty severe bug.
It appears to only provide access to usernames and hashed appliance passwords. Credential reuse is likely the culprit for at least the known successful post-SQLi compromise.
Exposure Analysis
We found over 72,000 exposed appliances. Many appear to be service provider/telecom/ISP provisioned and sitting on customer segments.
The top 20 countries (IP geolocation) make up ~80% of the exposure:
| country | n | pct |
|---|---|---|
| United States | 9126 | 12.54% |
| India | 7989 | 10.98% |
| Germany | 5433 | 7.47% |
| Japan | 4680 | 6.43% |
| Italy | 4338 | 5.96% |
| Australia | 4168 | 5.73% |
| Turkey | 3740 | 5.14% |
| Brazil | 3526 | 4.85% |
| France | 2567 | 3.53% |
| United Kingdom | 1822 | 2.50% |
| South Africa | 1779 | 2.44% |
| Canada | 1658 | 2.28% |
| Spain | 1644 | 2.26% |
| Malaysia | 1496 | 2.06% |
| Switzerland | 1261 | 1.73% |
| Colombia | 1124 | 1.54% |
| Thailand | 1087 | 1.49% |
| Netherlands | 932 | 1.28% |
| Taiwan | 681 | 0.94% |
| Portugal | 611 | 0.84% |
There are 2 primary externally facing HTTP paths:
-
Admin @
https://{host|ip}:{port}/webconsole/webpages/login.jsp -
User @
https://{host|ip}:{port}/userportal/webpages/myaccount/login.jsp
I crafted a quick hack study to just see if we could get version info and we can. Sophos does the daft thing Microsoft does for OWA and refers to HTML resources by the version/build (e.g.):
<link rel="stylesheet"
href="/themes/lite1/css/loginstylesheet.css?ver=17.5.9.577"
type="text/css">
I’ll be doing a more thorough path study this week but we got back ~12,500 unique (by IP) responses. Here’s the breakdown (TLDR there’s a decent bit of exposure as of Sunday).
Sophos XG Appliance Version Distribution
~65,000 Appliances Provided Version Details;
Only ~25% appear to be patched as of 2020-04-27.
# Sophos Appliances
0~ 5,000 10,000 15,000
5.01.0.376 x ~ ~ ~
5.01.0.407 x ~ ~ ~
5.01.0.418 x ~ ~ ~
5.01.0.447 x ~ ~ ~
6.01.0.190 x ~ ~ ~
6.01.1.202 xx ~ ~ ~
6.01.2.222 x ~ ~ ~
6.01.3.265 x ~ ~ ~
6.01.4.342 x ~ ~ ~
6.05.0.098 x ~ ~ ~
6.05.0.117 x ~ ~ ~
6.05.1.139 x ~ ~ ~
6.05.2.160 xx ~ ~ ~
6.05.3.183 x ~ ~ ~
6.05.5.233 xx ~ ~ ~
6.05.6.266 xx ~ ~ ~
6.05.7.305 xx ~ ~ ~
6.05.8.320 x ~ ~ ~
17.0.0.32 x ~ ~ ~
17.0.0.80 x ~ ~ ~
17.0.1.98 x ~ ~ ~
17.0.2.116 xx ~ ~ ~
17.0.3.131 x ~ ~ ~
17.0.5.162 xx ~ ~ ~
17.0.6.181 xxxxx ~ ~ ~
17.0.7.191 xxxx ~ ~ ~
17.0.8.209 x ~ ~ ~
17.0.9.217 x ~ ~ ~
17.1.0.152 x ~ ~ ~
17.1.1.175 xx ~ ~ ~
17.1.2.225 xxxx ~ ~ ~
17.1.3.250 xxxxx ~ ~ ~
17.5.0.310 x ~ ~ ~
17.5.0.321 xxx ~ ~ ~
17.5.1.347 xxx ~ ~ ~
17.5.2.381 xxxxxxxxxxxxxxxxxxxxxxxxxx ~ ~
17.5.3.372 x ~ ~ ~
17.5.4.429 xxxxxx ~ ~ ~
17.5.5.433 xxxxxxxxx ~ ~ ~
17.5.6.488 xxxxxx ~ ~ ~
17.5.7.511 xxxxxxxxxxxxxxxxxxxxxxxxx ~ ~
17.5.8.539 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~
7.5.10.620 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~
7.5.11.661 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~
18.0.0.102 x ~ ~ ~
18.0.0.113 x ~ ~ ~
18.0.0.180 x ~ ~ ~
18.0.0.285 x ~ ~ ~
18.0.0.321 xx ~ ~ ~
18.0.0.339 xxxxxx ~ ~ ~
18.0.0.354 xx ~ ~ ~
18.0.1.368 x ~ ~ ~
~ Source: Rapid7 Project Sonar April 2020 HTTPS Studies~
As of 2020-04-28 ~25% appliances do not leave the “auto-update hotfix” setting on.
Our blog on it: <https://blog.rapid7.com/2020/04/27/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability-remediation-guidance-and-exposure-overview/> | <https://web.archive.org/web/20200428094002/https://blog.rapid7.com/2020/04/27/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability-remediation-guidance-and-exposure-overview/>
busterb at April 29, 2020 1:24pm UTC reported:
Vulnerability Rating/Info
I based the value and exploitability off of the Sophos vulnerability details page: <https://community.sophos.com/kb/en-us/135412> / <https://web.archive.org/web/20200426003614/https://community.sophos.com/kb/en-us/135412>
Sophos indicates attackers have been actively compromising these appliances at least as of April 22, 2020 when at least one customer noticed odd field values in their admin console.
Given that the SQL injection can happen pre-auth, and that both the user-facing and admin-facing interfaces are vulnerable, means this is a pretty severe bug.
It appears to only provide access to usernames and hashed appliance passwords. Credential reuse is likely the culprit for at least the known successful post-SQLi compromise.
Exposure Analysis
We found over 72,000 exposed appliances. Many appear to be service provider/telecom/ISP provisioned and sitting on customer segments.
The top 20 countries (IP geolocation) make up ~80% of the exposure:
| country | n | pct |
|---|---|---|
| United States | 9126 | 12.54% |
| India | 7989 | 10.98% |
| Germany | 5433 | 7.47% |
| Japan | 4680 | 6.43% |
| Italy | 4338 | 5.96% |
| Australia | 4168 | 5.73% |
| Turkey | 3740 | 5.14% |
| Brazil | 3526 | 4.85% |
| France | 2567 | 3.53% |
| United Kingdom | 1822 | 2.50% |
| South Africa | 1779 | 2.44% |
| Canada | 1658 | 2.28% |
| Spain | 1644 | 2.26% |
| Malaysia | 1496 | 2.06% |
| Switzerland | 1261 | 1.73% |
| Colombia | 1124 | 1.54% |
| Thailand | 1087 | 1.49% |
| Netherlands | 932 | 1.28% |
| Taiwan | 681 | 0.94% |
| Portugal | 611 | 0.84% |
There are 2 primary externally facing HTTP paths:
-
Admin @
https://{host|ip}:{port}/webconsole/webpages/login.jsp -
User @
https://{host|ip}:{port}/userportal/webpages/myaccount/login.jsp
I crafted a quick hack study to just see if we could get version info and we can. Sophos does the daft thing Microsoft does for OWA and refers to HTML resources by the version/build (e.g.):
<link rel="stylesheet"
href="/themes/lite1/css/loginstylesheet.css?ver=17.5.9.577"
type="text/css">
I’ll be doing a more thorough path study this week but we got back ~12,500 unique (by IP) responses. Here’s the breakdown (TLDR there’s a decent bit of exposure as of Sunday).
Sophos XG Appliance Version Distribution
~65,000 Appliances Provided Version Details;
Only ~25% appear to be patched as of 2020-04-27.
# Sophos Appliances
0~ 5,000 10,000 15,000
5.01.0.376 x ~ ~ ~
5.01.0.407 x ~ ~ ~
5.01.0.418 x ~ ~ ~
5.01.0.447 x ~ ~ ~
6.01.0.190 x ~ ~ ~
6.01.1.202 xx ~ ~ ~
6.01.2.222 x ~ ~ ~
6.01.3.265 x ~ ~ ~
6.01.4.342 x ~ ~ ~
6.05.0.098 x ~ ~ ~
6.05.0.117 x ~ ~ ~
6.05.1.139 x ~ ~ ~
6.05.2.160 xx ~ ~ ~
6.05.3.183 x ~ ~ ~
6.05.5.233 xx ~ ~ ~
6.05.6.266 xx ~ ~ ~
6.05.7.305 xx ~ ~ ~
6.05.8.320 x ~ ~ ~
17.0.0.32 x ~ ~ ~
17.0.0.80 x ~ ~ ~
17.0.1.98 x ~ ~ ~
17.0.2.116 xx ~ ~ ~
17.0.3.131 x ~ ~ ~
17.0.5.162 xx ~ ~ ~
17.0.6.181 xxxxx ~ ~ ~
17.0.7.191 xxxx ~ ~ ~
17.0.8.209 x ~ ~ ~
17.0.9.217 x ~ ~ ~
17.1.0.152 x ~ ~ ~
17.1.1.175 xx ~ ~ ~
17.1.2.225 xxxx ~ ~ ~
17.1.3.250 xxxxx ~ ~ ~
17.5.0.310 x ~ ~ ~
17.5.0.321 xxx ~ ~ ~
17.5.1.347 xxx ~ ~ ~
17.5.2.381 xxxxxxxxxxxxxxxxxxxxxxxxxx ~ ~
17.5.3.372 x ~ ~ ~
17.5.4.429 xxxxxx ~ ~ ~
17.5.5.433 xxxxxxxxx ~ ~ ~
17.5.6.488 xxxxxx ~ ~ ~
17.5.7.511 xxxxxxxxxxxxxxxxxxxxxxxxx ~ ~
17.5.8.539 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~
7.5.10.620 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~
7.5.11.661 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ~
18.0.0.102 x ~ ~ ~
18.0.0.113 x ~ ~ ~
18.0.0.180 x ~ ~ ~
18.0.0.285 x ~ ~ ~
18.0.0.321 xx ~ ~ ~
18.0.0.339 xxxxxx ~ ~ ~
18.0.0.354 xx ~ ~ ~
18.0.1.368 x ~ ~ ~
~ Source: Rapid7 Project Sonar April 2020 HTTPS Studies~
As of 2020-04-28 ~25% appliances do not leave the “auto-update hotfix” setting on.
Our blog on it: <https://blog.rapid7.com/2020/04/27/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability-remediation-guidance-and-exposure-overview/> | <https://web.archive.org/web/20200428094002/https://blog.rapid7.com/2020/04/27/cve-2020-12271-sophos-xg-firewall-pre-auth-sql-injection-vulnerability-remediation-guidance-and-exposure-overview/>
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%