Sophos warns of a new actively exploited flaw in Firewall product

Sophos warns that a critical code injection security vulnerability in its Firewall product is actively exploited in the wild.

Sophos warns of a critical code injection security vulnerability, tracked as CVE-2022-3236, affecting its Firewall product which is being exploited in the wild.

The CVE-2022-3236 flaw resides in the User Portal and Webadmin of Sophos Firewall, its exploitation can lead to code execution (RCE).

“A code injection vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall. The vulnerability has been fixed.” reads the advisory published by the security firm. “Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region. We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate.”

The company addressed the issue with the released Firewall v19.0 MR1 (19.0.1) and older, it also provided workaround by recommending customers not expose User Portal, and Webadmin to WAN and disable WAN access to the User Portal and Webadmin. The company recommends to use VPN and/or Sophos Central (preferred) for remote access and management.

Customers using older Firewall versions would have to upgrade to a supported version.

In March, the security firm fixed another vulnerability, tracked as CVE-2022-1040, that resides in the User Portal and Webadmin areas of Sophos Firewall.

The CVE-2022-1040 flaw received a CVSS score of 9.8 and impacts Firewall versions 18.5 MR3 (18.5.3) and earlier. The vulnerability was reported to the security firm by an unnamed security researcher via its bug bounty program.

A remote attacker with access to the Firewall’s User Portal or Webadmin interface can exploit the flaw to bypass authentication and execute arbitrary code.

Source Sophos community

The experts warned that the CVE-2022-1040 flaw was actively exploited in attacks aimed at a small set of Asian organizations.

Update:

https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce

Sophos has addressed the issue with the release of the following hotfixes:

Hotfixes for the following versions published on September 21, 2022:
- v19.0 GA, MR1, and MR1-1
- v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4
Hotfixes for the following versions published on September 23, 2022:
- v18.0 MR3, MR4, MR5, and MR6
- v17.5 MR12, MR13, MR14, MR15, MR16, and MR17
- v17.0 MR10
Fix included in v18.5 MR5 (18.5.5), v19.0 MR2 (19.0.2), and v19.5 GA
Users of older versions of Sophos Firewall are required to upgrade to receive the latest protections, and this fix

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.