Tuesday, July 23, 2024

Over 4,000 Internet-facing Sophos Firewalls Vulnerable to Code Injection Attacks

The Sophos Firewall Webadmin and User Portal HTTP interfaces are vulnerable to unauthenticated and remote code execution, as stated in an alert released by Sophos in September.

The vulnerability, CVE-2022-3236, was reportedly utilized against “a small collection of specific organizations, primarily in the South Asia region” in the past. Multiple Sophos Firewall versions received hotfixes from the firm (official fixes were issued three months later, in December 2022).

The severity score is 9.8 out of 10. Customers were instructed to install a hotfix and then a full patch by the company to stop the attack.

Since automatic updates are enabled by default, unless an administrator turned the feature off, the September hotfixes were given to all affected instances (v19.0 MR1/19.0.1 and older).

Further, the CVE-2022-3236 hotfix could not be applied automatically to instances of Sophos Firewall running unsupported product versions; they had to be manually upgraded to a supported version.

Servers Using the Sophos Firewall Are Still Susceptible

More than 4,400 servers using the Sophos firewall are still susceptible, according to a recent study. That makes up around 6% of all Sophos firewalls, according to data from a Shodan search provided by security company VulnCheck.

“More than 99% of internet-facing Sophos Firewalls haven’t upgraded to versions containing the official fix for CVE-2022-3236,” VulnCheck vulnerability researcher Jacob Baines said.

“But around 93% are running versions eligible for a hotfix, and the default behavior of the firewall is to download and apply hotfixes automatically (unless disabled by an administrator). It’s likely that nearly all servers eligible for a hotfix have received one, although bugs do happen”. 

“This leaves more than 4,000 firewalls (or around 6% of internet-facing Sophos Firewalls) still running versions that have not received a hotfix and are therefore vulnerable.”

The researcher claimed that using the technical details in this Zero Day Initiative report, he was able to produce a working exploit for the issue. Hence, threat actors most likely will soon have the same capability.

He also stated that the Sophos Firewall’s default requirement for web clients to “solve a captcha during authentication” would probably prevent widespread exploitation. 

Baines advised users of vulnerable servers to look for two indicators of a possible compromise. The first is the log file at/logs/csc.log and the second is /log/validationError.log. If either the_Discriminator field is included in a login request, there was likely a successful or unsuccessful attempt to exploit the vulnerability, he said.

Sophos Firewall CAPTCHA challenge
Sophos Firewall CAPTCHA challenge (Jacob Baines)

“The vulnerable code is only reached after the CAPTCHA is validated. A failed CAPTCHA will cause the exploit to fail”, Baines 

Solving CAPTCHAs programmatically is not impossible, but it is a high hurdle for most attackers. Most internet-facing Sophos firewalls appear to have login CAPTCHA enabled, meaning this vulnerability is unlikely to have been successfully exploited at scale even at the best of times.”

Final Word

One of those uncommon flaws, CVE-2022-3236, has been used in reality with few details ever being made public, says the researchers.

Also, the default authentication captcha most certainly stopped widespread exploitation, and the internet-facing firewalls are mainly eligible for hotfixes.


Latest articles

Beware Of Dating Apps Exposing Your Personal And Location Details To Cyber Criminals

Threat actors often attack dating apps to steal personal data, including sensitive data and...

Hackers Abusing Google Cloud For Phishing

Threat actors often attack cloud services for several illicit purposes. Google Cloud is targeted...

Two Russian Nationals Charged for Cyber Attacks against U.S. Critical Infrastructure

The United States has designated Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, two members...

Threat Actors Taking Advantage of CrowdStrike BSOD Bug to Deliver Malware

Threat actors have been found exploiting a recently discovered bug in CrowdStrike's software that...

NCA Shut’s Down the Most Popular “digitalstress” DDoS-for-hire Service

The National Crime Agency (NCA) has successfully infiltrated and dismantled one of the most...

Play Ransomware’s Linux Variant Attacking VMware ESXi Servers

A new Linux variant of Play ransomware targets VMware ESXi environments, which encrypts virtual...

SonicOS IPSec VPN Vulnerability Let Attackers Cause Dos Condition

SonicWall has disclosed a critical heap-based buffer overflow vulnerability in its SonicOS IPSec VPN....
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles