Sophos customers should ensure their firewall devices are updated with the latest updates, as the vendor addresses several security vulnerabilities. Exploiting these vulnerabilities could allow various malicious actions, including code execution attacks.

Added several vulnerabilities in Sophos firewall.

According to his recent AdvisorySophos fixed at least three vulnerabilities in the Sophos firewall. Specifically, these weaknesses include,

  • CVE-2024-12727 (Critical Severity; CVSS 9.8): A SQL injection vulnerability affects the email protection feature. This preauthorization vulnerability could allow an adversary to access the target firewall’s reporting database and conduct remote code execution attacks. Exploitation of this vulnerability requires the firewall to be running in high availability (HA) mode with a specific Secure PDF Exchange (SPX) configuration.
  • CVE-2024-12728 (Critical Severity; CVSS 9.8): The vulnerability existed due to weak credentials, allowing an adversary to gain elevated privileges to the target Sophos Firewall via SSH.
  • CVE-2024-12729 (high intensity; CVSS 8.8): Vulnerability of post-authoring code injection into the user portal. Exploiting the flaw could allow an authenticated adversary to execute code on the target device.

Of these, two vulnerabilities, CVE-2024-12727 and CVE-2024-12729, attracted the attention of external security researchers, who then reported the flaws to Sophos through the firm’s bug bounty program. Internal researchers at Sophos noticed a third vulnerability.

These vulnerabilities affected Sophos Firewall v21.0 GA (21.0.0) and higher. The firm initially patched all of them by releasing hotfixes. Later, they rolled out patches with v20 MR3, v21 MR1, and newer versions. The service ensured the protection of all vulnerable systems by defaulting to hotfix installations. However, users should still check their systems for possible updates with stable releases.

In addition to fixing the weaknesses, Sophos shared various mitigation strategies to protect devices where immediate corrective action is not possible. These include securing SSH access and disabling user portal and WebAdmin access to the WAN.

The firm has confirmed that it has not found any active exploits for any of these vulnerabilities. Nevertheless, users should update their devices with security fixes as soon as possible to avoid potential threats.

Let us know your thoughts in the comments.



Source link