Over 4,000 Internet-facing Sophos Firewalls Vulnerable to Code Injection Attacks

The Sophos Firewall Webadmin and User Portal HTTP interfaces are vulnerable to unauthenticated and remote code execution, as stated in an alert released by Sophos in September.

The vulnerability, CVE-2022-3236, was reportedly utilized against “a small collection of specific organizations, primarily in the South Asia region” in the past. Multiple Sophos Firewall versions received hotfixes from the firm (official fixes were issued three months later, in December 2022).

The severity score is 9.8 out of 10. Customers were instructed to install a hotfix and then a full patch by the company to stop the attack.

Since automatic updates are enabled by default, unless an administrator turned the feature off, the September hotfixes were given to all affected instances (v19.0 MR1/19.0.1 and older).

Further, the CVE-2022-3236 hotfix could not be applied automatically to instances of Sophos Firewall running unsupported product versions; they had to be manually upgraded to a supported version.

Servers Using the Sophos Firewall Are Still Susceptible

More than 4,400 servers using the Sophos firewall are still susceptible, according to a recent study. That makes up around 6% of all Sophos firewalls, according to data from a Shodan search provided by security company VulnCheck.

“More than 99% of internet-facing Sophos Firewalls haven’t upgraded to versions containing the official fix for CVE-2022-3236,” VulnCheck vulnerability researcher Jacob Baines said.

“But around 93% are running versions eligible for a hotfix, and the default behavior of the firewall is to download and apply hotfixes automatically (unless disabled by an administrator). It’s likely that nearly all servers eligible for a hotfix have received one, although bugs do happen”. 

“This leaves more than 4,000 firewalls (or around 6% of internet-facing Sophos Firewalls) still running versions that have not received a hotfix and are therefore vulnerable.”

The researcher claimed that using the technical details in this Zero Day Initiative report, he was able to produce a working exploit for the issue. Hence, threat actors most likely will soon have the same capability.

He also stated that the Sophos Firewall’s default requirement for web clients to “solve a captcha during authentication” would probably prevent widespread exploitation. 

Baines advised users of vulnerable servers to look for two indicators of a possible compromise. The first is the log file at/logs/csc.log and the second is /log/validationError.log. If either the_Discriminator field is included in a login request, there was likely a successful or unsuccessful attempt to exploit the vulnerability, he said.

“The vulnerable code is only reached after the CAPTCHA is validated. A failed CAPTCHA will cause the exploit to fail”, Baines 

Solving CAPTCHAs programmatically is not impossible, but it is a high hurdle for most attackers. Most internet-facing Sophos firewalls appear to have login CAPTCHA enabled, meaning this vulnerability is unlikely to have been successfully exploited at scale even at the best of times.”

Final Word

One of those uncommon flaws, CVE-2022-3236, has been used in reality with few details ever being made public, says the researchers.

Also, the default authentication captcha most certainly stopped widespread exploitation, and the internet-facing firewalls are mainly eligible for hotfixes.