CISA adds Sophos firewall bug to Known Exploited Vulnerabilities Catalog

Pierluigi Paganini April 01, 2022

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Sophos firewall flaw and seven other issues to its Known Exploited Vulnerabilities Catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the recently disclosed CVE-2022-1040 flaw in the Sophos firewall, along with seven other issues, to its Known Exploited Vulnerabilities Catalog.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

The new vulnerabilities added to the catalog have to be addressed by federal agencies by April 21, 2022.

The CVE-2022-1040 is an authentication bypass vulnerability that resides in the User Portal and Webadmin areas of Sophos Firewall.

The vulnerability received a CVSS score of 9.8 and impacts Sophos Firewall versions 18.5 MR3 (18.5.3) and earlier. The vulnerability was reported to the security firm by an unnamed security researcher via its bug bounty program.

“An authentication bypass vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall and responsibly disclosed to Sophos. It was reported via the Sophos bug bounty program by an external security researcher. The vulnerability has been fixed.” reads the advisory published by the company.

A remote attacker with access to the Firewall’s User Portal or Webadmin interface can exploit the flaw to bypass authentication and execute arbitrary code.

Sophos Firewall User Portal interface
Source Sophos community

The security vendor pointed out that the hotfixes will be automatically installed on its devices by default.

The company also recommends customers avoid exposing their User Portal and Webadmin to WAN.

Sophos is also warning that the CVE-2022-1040 flaw in Sophos Firewall is actively exploited in attacks aimed at a small set of Asian organizations.

CISA also ordered federal agencies to patch a high severity arbitrary file upload vulnerability (CVE-2022-26871) in the Trend Micro Apex Central product management console that can be abused in remote code execution attacks.

On Tuesday, Trend Micro said it has observed “at least one active attempt of potential exploitation” of this vulnerability in the wild.

CISA added six more vulnerabilities to its Known Exploited Vulnerabilities Catalog today, all of them also exploited in ongoing attacks.

CISA also ordered federal agencies to patch an arbitrary file upload vulnerability in Trend Micro Apex Central (CVE-2022-26871) and a privilege escalation in Microsoft Windows (CVE-2021-34484).

Below is the list of recently added vulnerabilities:

CVEVulnerability NameDue Date
CVE-2022-26871Trend Micro Apex Central Arbitrary File Upload Vulnerability2022-04-21
CVE-2022-1040Sophos Firewall Authentication Bypass Vulnerability2022-04-21
CVE-2021-34484Microsoft Windows User Profile Service Privilege Escalation2022-04-21
CVE-2021-28799QNAP NAS Improper Authorization Vulnerability2022-04-21
CVE-2021-21551Dell dbutil Driver Insufficient Access Control Vulnerability2022-04-21
CVE-2018-10562Dasan GPON Routers Command Injection Vulnerability2022-04-21
CVE-2018-10561Dasan GPON Routers Authentication Bypass Vulnerability2022-04-21
CVE-2014-6324Microsoft Windows Kerberos KDC Privilege Escalation2022-04-21

The CISA Catalog has reached a total of 609 entries with the latest added vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BazarLoader)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment