Sophos released a security bulletin stating that they have fixed a zero-day pre-auth SQL Injection vulnerability in their XG Firewall that was actively being exploited in the wild.
A statement from Sophos said: “Sophos received a report on April 22, 2020, at 20:29 UTC regarding an XG Firewall with a suspicious field value visible in the management interface. Sophos commenced an investigation and the incident was determined to be an attack against physical and virtual XG Firewall units. The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected. For reference, the default configuration of XG Firewall is that all services operate on unique ports.”
If your Sophos XG firewall has the automatic installation of hotfixes enabled, it has already been installed. This is confirmed via a message on the XG management interface which will also inform the administrator if their device was affected by the attack.
Additionally from Sophos:
For uncompromised XG Firewall devices, no additional steps are required.
For compromised XG Firewall devices that have received the hotfix, we strongly recommend the following additional steps to fully remediate the issue:
Reset device administrator accounts
Reboot the XG device(s)
Reset passwords for all local user accounts Although the passwords were hashed, it is recommended that passwords are reset for any accounts where the XG credentials might have been reused.
Note: The hotfix alert message does not disappear once the hotfix is applied. The full alert will remain visible in the XG management interface, even after the hotfix has been successfully applied and even after any additional remediation steps have been completed.
Note: While customers should always conduct their own internal investigation, at this point Sophos is not aware of any subsequent remote access attempts to impacted XG devices using the stolen credentials.
To enable installation of hotfixes, instructions from Sophos are provided here: https://community.sophos.com/kb/en-us/135415
Sophos SQL Injection security bulletin can be found here: https://community.sophos.com/kb/en-us/135412