Thursday, December 19, 2024
HomeCyber Security NewsOver 4,000 Internet-facing Sophos Firewalls Vulnerable to Code Injection Attacks

Over 4,000 Internet-facing Sophos Firewalls Vulnerable to Code Injection Attacks

Published on

SIEM as a Service

The Sophos Firewall Webadmin and User Portal HTTP interfaces are vulnerable to unauthenticated and remote code execution, as stated in an alert released by Sophos in September.

The vulnerability, CVE-2022-3236, was reportedly utilized against “a small collection of specific organizations, primarily in the South Asia region” in the past. Multiple Sophos Firewall versions received hotfixes from the firm (official fixes were issued three months later, in December 2022).

The severity score is 9.8 out of 10. Customers were instructed to install a hotfix and then a full patch by the company to stop the attack.

- Advertisement - SIEM as a Service

Since automatic updates are enabled by default, unless an administrator turned the feature off, the September hotfixes were given to all affected instances (v19.0 MR1/19.0.1 and older).

Further, the CVE-2022-3236 hotfix could not be applied automatically to instances of Sophos Firewall running unsupported product versions; they had to be manually upgraded to a supported version.

Servers Using the Sophos Firewall Are Still Susceptible

More than 4,400 servers using the Sophos firewall are still susceptible, according to a recent study. That makes up around 6% of all Sophos firewalls, according to data from a Shodan search provided by security company VulnCheck.

“More than 99% of internet-facing Sophos Firewalls haven’t upgraded to versions containing the official fix for CVE-2022-3236,” VulnCheck vulnerability researcher Jacob Baines said.

“But around 93% are running versions eligible for a hotfix, and the default behavior of the firewall is to download and apply hotfixes automatically (unless disabled by an administrator). It’s likely that nearly all servers eligible for a hotfix have received one, although bugs do happen”. 

“This leaves more than 4,000 firewalls (or around 6% of internet-facing Sophos Firewalls) still running versions that have not received a hotfix and are therefore vulnerable.”

The researcher claimed that using the technical details in this Zero Day Initiative report, he was able to produce a working exploit for the issue. Hence, threat actors most likely will soon have the same capability.

He also stated that the Sophos Firewall’s default requirement for web clients to “solve a captcha during authentication” would probably prevent widespread exploitation. 

Baines advised users of vulnerable servers to look for two indicators of a possible compromise. The first is the log file at/logs/csc.log and the second is /log/validationError.log. If either the_Discriminator field is included in a login request, there was likely a successful or unsuccessful attempt to exploit the vulnerability, he said.

Sophos Firewall CAPTCHA challenge
Sophos Firewall CAPTCHA challenge (Jacob Baines)

“The vulnerable code is only reached after the CAPTCHA is validated. A failed CAPTCHA will cause the exploit to fail”, Baines 

Solving CAPTCHAs programmatically is not impossible, but it is a high hurdle for most attackers. Most internet-facing Sophos firewalls appear to have login CAPTCHA enabled, meaning this vulnerability is unlikely to have been successfully exploited at scale even at the best of times.”

Final Word

One of those uncommon flaws, CVE-2022-3236, has been used in reality with few details ever being made public, says the researchers.

Also, the default authentication captcha most certainly stopped widespread exploitation, and the internet-facing firewalls are mainly eligible for hotfixes.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing...

INTERPOL Urges to End ‘Pig Butchering’ & Replaces With “Romance Baiting”

INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase...

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT,"...

Earth Koshchei Employs RDP Relay, Rogue RDP server in Server Attacks

 A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing...

INTERPOL Urges to End ‘Pig Butchering’ & Replaces With “Romance Baiting”

INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase...

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT,"...