Sophos Endpoint. Sophos Intercept X is the world’s best endpoint security, combining ransomware protection, deep learning malware detection, exploit prevention, EDR, and more – all in a single solution. Sophos于2020年4月22日收到一份报告,该报告内容提及XG防火墙管理界面中发现可疑的记录。该事件被确定为针对Sophos XG Firewall(包含Virtual XG Firewall) 的SQL注入攻击。. 24 votes, 41 comments. 3.4k members in the sophos community. For all things Sophos related. Announcements, discussions, feedback, questions, and more! 2020年4月25日,Sophos发布了知识库文章(KBA) 135412,警告存在一个预认证SQL注入(SQLi)漏洞,该漏洞会影响XG防火墙产品线。 根据Sophos的说法,这个 漏洞 至少从2020年4月22日起就被 利用 了。.
From Used Printing Machines comes this rare large format eight color KBA coater press for a fair price. Should sell quickly, please call if you have interest.
- 40 x 55 inch eight-color format
- Dedicated tower coater with extended delivery
- Harris & Bruno Anilox coating system with chambered doctor blade
- Densitronic basic
- Non-stop feeder & delivery
- Steel plate in feeder
- FAPC: fully-automatic plate change
- Alcolor Vario dampening
- Automatic impression cylinder wash
- Technotrans Beta C
- Ink temperature control
- Eltosch UV
- IR dryer with hot-air knives
- Weko AP262 Powder spray
- Approximately 165mm impressions
Fixing SQL injection vulnerability and malicious code execution in XG Firewall/SFOS
Note: The attack for this vulnerability was possible ONLY if the affected systems were configured with *either* the administration (HTTPS service) or the User Portal exposed on the WAN zone.
We recommend VPNs are used to access the unit for users and either VPNs or Sophos Central for administrative management. See: KB Article https://community.sophos.com/kb/en-us/135414
The Attack Details
The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices. It was designed to download payloads intended to exfiltrate XG Firewall-resident data. The data for any specific firewall depends upon the specific configuration and may include usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access. Passwords associated with external authentication systems such as AD or LDAP are unaffected. At this time, there is no indication that the attack accessed anything on the local networks behind any impacted XG Firewall.
There are two scenarios here:
Scenario 1 (Uncompromised)
A hotfix was automatically applied to the firewall from Sophos
Note!: If you have disabled “Allow automatic installation of hotfixes”, please reference the following KBA for instructions on how to apply the required hotfix: https://community.sophos.com/kb/en-us/135415
Actions Required for Scenario 1 (Uncompromised) – if Hotfix was applied, no further action (other than upgrading to the latest firmware which is always recommend)
Scenario 2 (Compromised)
Kba 135412
Hotfix applied and successfully remediated a compromised firewall
Note: If you have disabled “Allow automatic installation of hotfixes”, please reference the following KBA for instructions on how to apply the required hotfix: https://community.sophos.com/kb/en-us/135415
Sophos Kba 135412
Actions Required for Scenario 2 (Compromised) For compromised XG Firewall devices that have received the hotfix, we strongly recommend the following additional steps to fully remediate the issue:
- Reset portal administrator and device administrator accounts
- Reboot the XG device(s)
- Reset passwords for all local user accounts
- Although the passwords were hashed, it is recommended that passwords are reset for any accounts where the XG credentials might have been reused
Note: While customers should always conduct their own internal investigation, at this point Sophos is not aware of any subsequent remote access attempts to impacted XG devices using the stolen credentials.
What firmware versions of XG Firewall (SFOS) were impacted?
The vulnerability affected all versions of XG Firewall firmware on both physical and virtual firewalls. All supported versions of the XG Firewall firmware / SFOS received the hotfix (SFOS 17.1, 17.5, 18.0). Customers using older versions of SFOS can protect themselves by upgrading to a supported version immediately.
Full Sophos KB 135412 is HERE