

کشف آسیب پذیری بحرانی در UTMهای Sophos و نحوه Patch کردن آن.
شرکت سوفوس روز گذشته خبر از کشف آسیب پذیری بحرانی روی UTMهای Sophos XG داد. این آسیب پذیری در رده SQL Injection بوده و فرد مهاجم با Exploit کردن آن می تواند به Usernameها و Passwordهای Hash شده دسترسی پیدا کند. و سپس با سطح دسترسی Admin به فایروال Login کند. شرکت Sophos بلافاصله اقدام به صدور Hotfix برای رفع این آسیب پذیری کرده است.
Sophos has fixed a zero-day SQL injection vulnerability in their XG Firewall after receiving reports that hackers actively exploited it in attacks.
Sophos states that they received a report on April 22nd that there was a suspicious field value being displayed in a customer’s Sophos XG Firewall management interface and began an investigation.
“Sophos received a report on April 22, 2020, at 20:29 UTC regarding an XG Firewall with a suspicious field value visible in the management interface. Sophos commenced an investigation and the incident was determined to be an attack against physical and virtual XG Firewall units. The attack affected systems configured with either the administration (HTTPS service) or the User Portal exposed on the WAN zone,” Sophos warned
How to tell if your Sophos XG Firewall was compromised
To help customers determine if their XG Firewall has been compromised, the hotfix will display an alert on the XG management interface stating whether your device was compromised or not.
Devices that were not compromised, the hotfix will display an alert stating “Hotfix applied for SQL Injection. Your device was NOT compromised.”

Firewalls that have been compromised by the vulnerability, the management interface will display a message warning “Hotfix applied for SQL injection and partially cleaned.”

For devices that were compromised, Sophos also recommends that you
perform the following additional steps to make sure the firewall is secured
1.Reset portal administrator and device administrator accounts
2.Reboot the XG device
3.Reset passwords for all local user accounts
4.Although the passwords were hashed, it is recommended that passwords are reset for any accounts where the XG credentials might have been reused
Sophos also warns that even after applying the hotfix and performing remediation steps, this alert will continue to be shown in the management interface.