Jump to content
  • Critical Sophos Firewall vulnerability allows remote code execution


    Karlston

    • 567 views
    • 3 minutes
     Share


    • 567 views
    • 3 minutes

    Sophos has fixed a critical vulnerability in its Sophos Firewall product that allows remote code execution (RCE).

     

    Tracked as CVE-2022-1040, the authentication bypass vulnerability exists in the User Portal and Webadmin areas of Sophos Firewall.

    RCE bug in web administration console

    On Friday, Sophos disclosed a critical remote code execution vulnerability impacting Sophos Firewall versions 18.5 MR3 (18.5.3) and earlier that the company released hotfixes for.

     

    Assigned CVE-2022-1040 with a 9.8 CVSS score, the vulnerability allows a remote attacker who can access the Firewall's User Portal or Webadmin interface to bypass authentication and execute arbitrary code.

     

    user-portal-small.jpg

    Sophos Firewall User Portal interface (Sophos Community)

    The vulnerability was responsibly reported to Sophos by an unnamed external security researcher via the company's bug bounty program.

     

    To address the flaw, Sophos released hotfixes that should, by default, reach most instances automatically.

     

    "There is no action required for Sophos Firewall customers with the 'Allow automatic installation of hotfixes' feature enabled. Enabled is the default setting," explains Sophos in its security advisory.

     

    The security advisory however implies that some older versions and end-of-life products may need to be actioned manually.

     

    As a general workaround against the vulnerability, the company advises customers to secure their User Portal and Webadmin interfaces:

     

    "Customers can protect themselves from external attackers by ensuring their User Portal and Webadmin are not exposed to WAN," reads the advisory.

     

    "Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central for remote access and management."

     

    Earlier this week, Sophos had also resolved two 'High' severity vulnerabilities (CVE-2022-0386 and CVE-2022-0652) impacting the Sophos UTM (Unified Threat Management) appliances.

    Sophos Firewall bugs previously exploited by attackers

    It remains crucial to ensure your Sophos Firewall instances are receiving the latest security patches and hotfixes timely, given that attackers have targeted vulnerable Sophos Firewall instances in the past.

     

    In early 2020, Sophos fixed a zero-day SQL injection vulnerability in its XG Firewall following reports that hackers were actively exploiting it in attacks.

     

    Starting April 2020, threat actors behind the Asnarök trojan malware had exploited the zero-day to try and steal firewall usernames and hashed passwords from vulnerable XG Firewall instances.

     

    The same zero-day had also been exploited by hackers attempting to deliver Ragnarok ransomware payloads onto companies' Windows systems.

     

    Sophos Firewall users are therefore advised to make sure their products are updated. The Sophos Support website explains how to enable automatic hotfix installation and to verify if the hotfix for CVE-2022-1040 successfully reached your product.

     

    Once automatic hotfix installation is enabled, Sophos Firewall checks for hotfixes every thirty minutes and after any restart.

     

     

    Critical Sophos Firewall vulnerability allows remote code execution


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...