Jack Rhysider

So flash forward two years go by.

Hmm.

It sounds like a minor problem at the surface.

This firewall had a configuration which showed what IPs are allowed to access it and manage it and configure it.

And a strange URL was showing up in that list of IPs.

It didn't make any sense as to why it was there or why anyone would ever even put it there.

At the same time, someone outside of Sophos submitted a bug into Sophos for this same issue.

Okay, odd.

Someone from China with a trial license of the Sophos firewall found this bug and reported it to Sophos?

And Sophos did, in fact, pay the bug bounty for this.

Hmm.

Someone got paid a pretty penny for reporting this bug to Sophos at almost the exact same time that they were seeing it being exploited by devices in the wild.

Strange timing.

We called it Asna Rock.

So the team investigated this bug further.

It was present in the front-end web user interface of the firewall.

To configure this firewall, you can use a browser and access it that way.

Well, the web UI of this firewall had an SQL injection vulnerability in it.

Basically, in one of the form fields of the firewall, like maybe the username field or something, an attacker could enter in some commands there, which would glitch out the user input handling mechanism of the firewall and allow the attacker to inject their own commands there

into the database of the firewall where the configuration sat.