[German]After experiencing issues with Sophos XG Firewall v18 MR1, the software has been pulled. And now there are reports that the Sophos XG Firewall is being attacked via 0-day exploits. Sophos has released an emergency patch to close the vulnerability. Here is some information about this ‘drama’ and the attack.
Zoom is the leader in modern enterprise video communications, with an easy, reliable cloud platform for video and audio conferencing, chat, and webinars across mobile, desktop, and room systems. Zoom Rooms is the original software-based conference room solution used around the world in board, conference, huddle, and training rooms, as well as executive offices and classrooms. Thank you for contacting the Sophos Community. So if you are expecting the traffic to come from 173.288.57.201 and not another IP then your Firewall rule is correct. Did you select automatic Firewall rule and have another Firewall from the ZoomOnPremZC to 173.288.57.201 (shouldn't be necessary if they are the ones initiating the traffic).
I'm playing around with Zoom Video Conferencing for Board Meetings and possibly some Live Meetings/Streaming for training events. I have cameras setup and everything works as intended hardware and software wise. All I need to know really is - anyone know how to route all Zoom traffic out a particular connection?? Sophos Intrusion Prevention System (IPS) is an advanced firewall feature that protects your network. The downside is that IPS is a resource-intensive process, as it needs to match every packet with thousands of attack signatures.
The trouble with the Sophos XG Firewall update
First a short review. A few weeks ago the company released firmware updates for Sophos UTM to version 9.703, as well as an update for the Sophos XG Firewall v18 MR1. In mid-April 2020 I had pointed out in the blog post Stop: Don’t install Sophos UTM 9.703 Firmware that this update should not be installed due to serious issues. Sophos then had to withdraw this firmware for the Sophos UTM.
The German edition of the above blog post was commented on by blog reader Matthias Gutowsky (thank you for that), pointing out that the same problem exists with the Sophos XG Firewall. In this Sophos Community post, dated from April 14, 2020, it was noted that Sophos XG Firewall v18 MR1 had also been withdrawn and that a new version was being worked on. But the trouble continued.
Sophos XG firewall under attack
At the weekend I already saw the following tweet from Catalin Cimpanu, pointing to an article at ZDNet with details about the attack.
Zoom And Sophos Utm
BREAKING: Hackers are exploiting a Sophos firewall zero-day
– Attacks detected on Wednesday
– Hackers exploited an SQLi to steal device data (creds)
– Patch pushed out earlier today
– Patch also removes artifacts from compromised XG firewall systemshttps://t.co/RSeABqz7jcpic.twitter.com/c971ypwgao
— Catalin Cimpanu (@campuscodi) April 26, 2020
Also Bleeping Computer has published this article about the 0-day exploit and the attacks. In a security advisory 135412 Sophos says, that that on April 22, 2020 at 20:29 UTC a report was received about a strange behavior of an XG firewall. Its management interface suddenly showed a suspicious field value.
Unknown SQL injection vulnerability exploited
The investigation made by Sophos has identified the incident as an attack on XG physical and virtual firewall units.
- The attack affected systems configured with either the management interface (HTTPS administration service) or the user portal exposed in the WAN zone.
- It also affected firewalls that were manually configured to expose a firewall service (such as SSL VPN) in the WAN zone that uses the same port as the management or user portal.
The default configuration of the XG firewall, on the other hand, requires that all services operate on unique ports. The attack used a previously unknown pre-authentic SQL injection vulnerability to gain access to exposed XG devices. The aim of the exploit is to exfiltrate data resident on the XG firewall.
The data exfiltrated for each affected firewall includes all local user names and hashed passwords of all local user accounts. For example, local device administrators, user portal accounts, and accounts used for remote access. Sophos has published this blog post with more information about this attack.
Note: Passwords associated with external authentication systems such as Active Directory (AD) or LDAP have not been compromised
Sophos distributes emergency patch
After determining the components and effects of the attack, Sophos provided a hotfix for all supported XG firewall/SFOS versions. This hotfix should have already been applied to all affected devices with auto-update enabled. The hotfix addressed the SQL injection vulnerability and was intended to prevent further 0-day exploit and attacker access to the infrastructure via XG firewall. At the same time, the hotfix was intended to clean up any remnants of the attack.
Note: If the “Allow automatic installation of hotfixes” option is disabled, see KB 135415 for instructions on how to apply the required hotfix.
Is Sophos XG Firewall compromised?
In a Security Advisory, Sophos gives some advice on how administrators can detect if the XG firewall is compromised. The XG firewall hotfix applied by Sophos includes a message in the XG management interface, indicating whether or not a particular XG firewall was affected by this attack. If the hotfix is installed, an uncompromised Sophos XG firewall will display the message below.
(Alert on XG-Firewall, Source: Sophos, Click to zoom)
If the hotfix was successfully installed and the firewall was compromised, the following message should appear in the Control center.
(Compromised Sophos XG-Firewall, Source: Sophos, Click to zoom)
Customers with compromised firewalls should respond and reboot their XG devices. In addition, the passwords of all local user accounts should be changed. Details can be found in this Sophos advisory.
Similar articles:
Stop: Don’t install Sophos UTM 9.703 Firmware
Revised Firmware update Sophos UTM 9.703-3 released
Advertising
To configure the inputs for the Splunk Add-on for Sophos, enable the desired stanzas in a local copy of inputs.conf on the forwarder installed on the Sophos Enterprise Console server.
Sophos Endpoint Security application logs
The add-on collects system logs of Sophos Endpoint Security, stored in Windows event logs, using the Splunk Add-on for Windows.
There is nothing to configure in this add-on for these logs.
Sophos Endpoint Security patch logs
Sophos Utm Zoom Extension
The add-on collects Sophos Endpoint Security patching logs using the Splunk Add-on for Windows.
To enable Sophos patch status monitoring, copy the first stanza in %SPLUNK_HOME%etcappsSplunk_TA_sophosdefaultinputs.conf to %SPLUNK_HOME%etcappsSplunk_TA_sophoslocalinputs.conf and enable the [WinEventLog://Sophos Patch] stanza by changing disabled = 1 to disabled = 0.
Sophos Endpoint Console server logs
The add-on collects Sophos Endpoint Console server logs through monitor inputs.
Copy the all the monitor stanzas from %SPLUNK_HOME%etcappsSplunk_TA_sophosdefaultinputs.conf to %SPLUNK_HOME%etcappsSplunk_TA_sophoslocalinputs.conf and enable the desired stanzas by changing disabled = 1 to disabled = 0. In each stanza, replace <SEC_LOG_PATH> with the path of the log files on the Sophos Enterprise Console.
Sophos Endpoint Console Syslog Logs
You can configure these logs to push via syslog over the network using Sophos Report Interface or by monitoring the SEC server log as with the server logs above. If you are monitoring the log files directly, set the source type to sophos:sec.
If you are pushing data via syslog, create an inputs.conf stanza in your syslog collector for these source types:
sophos:utm:firewallsophos:utm:ipssophos:utm:ipsec
For example, your stanza for sophos:utm:firewall might look like this.
If you are monitoring the log files directly, set the source type to sophos:sec.
Sophos Utm Zoom Exceptions
Note: When collecting syslog, a best practice is to use a 3rd party aggregator (e.g. rsyslog or syslog-ng) for improved fault tolerance and scalability.