Sophos Kba 135412

Posted on by admin



Sophos Kba 135412

Sophos Kba 135412 Vs

Download

Apr 28, 2020 Applies to the following Sophos products and versions Sophos Firewall What to do As a general best security practice to reduce attack surface wherever possible, Sophos recommends disabling HTTPS admin services on the WAN interface. If the User Portal is not being used, Sophos also recommends deactivating this service on the WAN as well. Sophos Central is the unified console for managing all your Sophos products. Sign into your account, take a tour, or start a trial from here.

On April 25, 2020, Sophos published a knowledge basearticle (KBA) 135412 which warned about apre-authenticated SQL injection (SQLi) vulnerability, affecting the XG Firewallproduct line. According to Sophos this issue had been actively exploited atleast since April 22, 2020. Shortly after the knowledge base article, a detailed analysis of the so called Asnarök operationwas published. Whilst the KBA focused solely on the SQLi, this write up clearly indicatedthat the attackers had somehow extended this initial vector to achieve remote code execution (RCE).

The criticality of the vulnerability prompted us to immediately warn our clients of the issue.As usual we provided lists of exposed and affected systems. Of course we also started an investigation into the technical details of the vulnerability. Due to the nature of the affected devices and the prospect of RCE, this vulnerability sounded like a perfect candidate for a perimeter breach in upcoming red team assessments. However, as we will explain later, this vulnerability will most likely not be as useful for this task as we first assumed.

SophosSophos kba 135412 error

Sophos Kba 135412

Sophos Kba 135412

Sophos Kba 135412 Security

Our analysis not only resulted in a working RCEexploit for the disclosed vulnerability (CVE-2020-12271) but also led to the discovery ofanother SQLi, which could have been used to gain code execution (CVE-2020-15504). Thecriticality of this new vulnerability is similar to the one used in theAsnarök campaign: exploitable pre-authentication either via an exposeduser or admin portal. Sophos quickly reacted to our bug report, issuedhotfixes for the supported firmware versions and released new firmwareversions for v17.5 and v18.0 (see also the Sophos Community Advisory).