Critical Sophos Firewall vulnerability allows remote code execution
Sophos has fixed a critical vulnerability in its Sophos Firewall product that allows remote code execution (RCE).
Tracked as CVE-2022-1040, the authentication bypass vulnerability exists in the User Portal and Webadmin areas of Sophos Firewall.
RCE bug in web administration console
On Friday, Sophos disclosed a critical remote code execution vulnerability impacting Sophos Firewall versions 18.5 MR3 (18.5.3) and earlier that the company released hotfixes for.
Assigned CVE-2022-1040 with a 9.8 CVSS score, the vulnerability allows a remote attacker who can access the Firewall’s User Portal or Webadmin interface to bypass authentication and execute arbitrary code.
The vulnerability was responsibly reported to Sophos by an unnamed external security researcher via the company’s bug bounty program.
To address the flaw, Sophos released hotfixes that should, by default, reach most instances automatically.
“There is no action required for Sophos Firewall customers with the ‘Allow automatic installation of hotfixes’ feature enabled. Enabled is the default setting,” explains Sophos in its security advisory.
The security advisory however implies that some older versions and end-of-life products may need to be actioned manually.
As a general workaround against the vulnerability, the company advises customers to secure their User Portal and Webadmin interfaces:
“Customers can protect themselves from external attackers by ensuring their User Portal and Webadmin are not exposed to WAN,” reads the advisory.
“Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central for remote access and management.”
Earlier this week, Sophos had also resolved two ‘High’ severity vulnerabilities (CVE-2022-0386 and CVE-2022-0652) impacting the Sophos UTM (Unified Threat Management) appliances.
Sophos Firewall bugs previously exploited by attackers
It remains crucial to ensure your Sophos Firewall instances are receiving the latest security patches and hotfixes timely, given that attackers have targeted vulnerable Sophos Firewall instances in the past.
In early 2020, Sophos fixed a zero-day SQL injection vulnerability in its XG Firewall following reports that hackers were actively exploiting it in attacks.
Starting April 2020, threat actors behind the Asnarök trojan malware had exploited the zero-day to try and steal firewall usernames and hashed passwords from vulnerable XG Firewall instances.
The same zero-day had also been exploited by hackers attempting to deliver Ragnarok ransomware payloads onto companies’ Windows systems.
Sophos Firewall users are therefore advised to make sure their products are updated. The Sophos Support website explains how to enable automatic hotfix installation and to verify if the hotfix for CVE-2022-1040 successfully reached your product.
Once automatic hotfix installation is enabled, Sophos Firewall checks for hotfixes every thirty minutes and after any restart.