Shulou(Shulou.com)05/31 Report--

Sophos firewall 0-day vulnerability was exploited by hackers example analysis, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

Internet security company Sophos released an emergency security update on April 25 to fix a 0-day vulnerability in its XG enterprise firewall product, which has been exploited by hackers.

Sophos said it heard of the 0-day vulnerability for the first time since receiving a report from a customer on Wednesday, April 22. The customer reported "seeing a suspicious field value in the administrative interface."

After investigating the report, Sophos determined that it was an active attack, not an error in its product.

According to a security bulletin issued by Sophos, an attacker exploited a previously unknown SQL injection vulnerability to gain access to exposed XG devices.

Hackers attack SophosXG Firewall devices that are exposed to the Internet by management (HTTPS services) or the control panel of the user portal.

Sophos said that hackers used the SQL injection vulnerability to download a payload on the device, and the payload stole files from XGFirewall.

The stolen data includes the username and hash password of the firewall device administrator and firewall portal administrator, as well as the user account used to remotely access the device.

Sophos said the passwords of the customer's other external authentication systems, such as AD or LDAP, were not affected.

The company said that in the course of its investigation, it found no evidence that hackers used stolen passwords to access XG Firewall devices or any other systems on its customers' internal networks.

Sophos indicates that an automatic update has been pushed to all XG Firewall with automatic update enabled to fix the vulnerability.

This hot patch fixes the SQL injection vulnerability, prevents further exploitation, prevents XG Firewall from accessing any of the attacker's infrastructure, and clears up the remnants of the attack.

The security update also adds an alarm to the XG Firewall control panel to let the device owner know if the device has been compromised.

For companies whose devices have been compromised, Sophos recommends remediation by resetting passwords and rebooting the device.

1. Reset portal administrator and device administrator accounts

two。 Restart the XG device

3. Reset passwords for all local user accounts

4. Although the password is hashed, it is recommended that you reset the password for any account that may use XG credentials again

If users do not need the management interface of the firewall, Sophos also recommends that users disable this feature on Internet-facing ports.

After reading the above, have you mastered the method of example analysis of Sophos firewall 0-day vulnerability exploited by hackers? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.