Thursday, November 14, 2024
HomeCyber Security NewsOver 4,000 Internet-facing Sophos Firewalls Vulnerable to Code Injection Attacks

Over 4,000 Internet-facing Sophos Firewalls Vulnerable to Code Injection Attacks

Published on

Malware protection

The Sophos Firewall Webadmin and User Portal HTTP interfaces are vulnerable to unauthenticated and remote code execution, as stated in an alert released by Sophos in September.

The vulnerability, CVE-2022-3236, was reportedly utilized against “a small collection of specific organizations, primarily in the South Asia region” in the past. Multiple Sophos Firewall versions received hotfixes from the firm (official fixes were issued three months later, in December 2022).

The severity score is 9.8 out of 10. Customers were instructed to install a hotfix and then a full patch by the company to stop the attack.

- Advertisement - SIEM as a Service

Since automatic updates are enabled by default, unless an administrator turned the feature off, the September hotfixes were given to all affected instances (v19.0 MR1/19.0.1 and older).

Further, the CVE-2022-3236 hotfix could not be applied automatically to instances of Sophos Firewall running unsupported product versions; they had to be manually upgraded to a supported version.

Servers Using the Sophos Firewall Are Still Susceptible

More than 4,400 servers using the Sophos firewall are still susceptible, according to a recent study. That makes up around 6% of all Sophos firewalls, according to data from a Shodan search provided by security company VulnCheck.

“More than 99% of internet-facing Sophos Firewalls haven’t upgraded to versions containing the official fix for CVE-2022-3236,” VulnCheck vulnerability researcher Jacob Baines said.

“But around 93% are running versions eligible for a hotfix, and the default behavior of the firewall is to download and apply hotfixes automatically (unless disabled by an administrator). It’s likely that nearly all servers eligible for a hotfix have received one, although bugs do happen”. 

“This leaves more than 4,000 firewalls (or around 6% of internet-facing Sophos Firewalls) still running versions that have not received a hotfix and are therefore vulnerable.”

The researcher claimed that using the technical details in this Zero Day Initiative report, he was able to produce a working exploit for the issue. Hence, threat actors most likely will soon have the same capability.

He also stated that the Sophos Firewall’s default requirement for web clients to “solve a captcha during authentication” would probably prevent widespread exploitation. 

Baines advised users of vulnerable servers to look for two indicators of a possible compromise. The first is the log file at/logs/csc.log and the second is /log/validationError.log. If either the_Discriminator field is included in a login request, there was likely a successful or unsuccessful attempt to exploit the vulnerability, he said.

Sophos Firewall CAPTCHA challenge
Sophos Firewall CAPTCHA challenge (Jacob Baines)

“The vulnerable code is only reached after the CAPTCHA is validated. A failed CAPTCHA will cause the exploit to fail”, Baines 

Solving CAPTCHAs programmatically is not impossible, but it is a high hurdle for most attackers. Most internet-facing Sophos firewalls appear to have login CAPTCHA enabled, meaning this vulnerability is unlikely to have been successfully exploited at scale even at the best of times.”

Final Word

One of those uncommon flaws, CVE-2022-3236, has been used in reality with few details ever being made public, says the researchers.

Also, the default authentication captcha most certainly stopped widespread exploitation, and the internet-facing firewalls are mainly eligible for hotfixes.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

GitLab Patches Critical Flaws Leads to Unauthorized Access to Kubernetes Cluster

GitLab has rolled out critical security updates to address multiple vulnerabilities in its Community...

Windows 0-Day Exploited in Wild with Single Right Click

A newly discovered zero-day vulnerability, CVE-2024-43451, has been actively exploited in the wild, targeting Windows...

Automating Identity and Access Management for Modern Enterprises

Keeping track of who has access and managing their permissions has gotten a lot...

Finding The Right E-Commerce Platform – Comparing Reselling Solutions

If you’re looking to make some extra cash or to start a business, you...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

GitLab Patches Critical Flaws Leads to Unauthorized Access to Kubernetes Cluster

GitLab has rolled out critical security updates to address multiple vulnerabilities in its Community...

Windows 0-Day Exploited in Wild with Single Right Click

A newly discovered zero-day vulnerability, CVE-2024-43451, has been actively exploited in the wild, targeting Windows...

Fortinet Patches Critical Flaws That Affected Multiple Products

Fortinet, a leading cybersecurity provider, has issued patches for several critical vulnerabilities impacting multiple...