Sophos Releases Update for Three Critical Firewall Vulnerabilities

Sophos has recently addressed three critical vulnerabilities in its Sophos Firewall product. These vulnerabilities, identified as CVE-2024-12727, CVE-2024-12728, and CVE-2024-12729, could allow attackers to execute remote code, gain privileged access, and escalate privileges.

Issue Overview

  1. CVE-2024-12727: Pre-authentication SQL Injection Vulnerability
    • Description: This vulnerability exists in the email protection feature of Sophos Firewall. If exploited, it allows attackers to access the reporting database and potentially execute remote code.
    • Exploitation: Attackers can exploit this vulnerability by sending specially crafted SQL queries to the vulnerable feature, leading to unauthorized access and remote code execution.
    • Severity: Critical (CVSS score: 9.8)
    • Impact: Approximately 0.05% of devices are affected.
  2. CVE-2024-12728: Insecure SSH Passphrase
    • Description: The suggested and non-random SSH login passphrase for High Availability (HA) cluster initialization remains active after the process completes, exposing privileged system accounts if SSH is enabled.
    • Exploitation: Attackers can exploit this vulnerability by using the predictable passphrase to gain unauthorized access to the system accounts.
    • Severity: Critical (CVSS score: 9.8)
    • Impact: Approximately 0.5% of devices are affected.
  3. CVE-2024-12729: Post-auth Code Injection Vulnerability
    • Description: This vulnerability allows authenticated users to execute arbitrary code via the User Portal.
    • Exploitation: Attackers with valid credentials can inject malicious code into the User Portal, leading to remote code execution and potential privilege escalation.
    • Severity: High (CVSS score: 8.8)
    • Impact: Requires authentication but poses a significant risk to organizations relying on Sophos Firewall.

Remediation

Sophos has released hotfixes and permanent fixes for these vulnerabilities. Users are advised to ensure their devices are running the latest supported versions to receive these protections. For those unable to update immediately, Sophos provides workarounds such as restricting SSH access to dedicated HA links and disabling WAN access to the User Portal and WebAdmin interfaces.

Conclusion

It’s crucial for organizations using Sophos Firewall to apply these updates promptly to mitigate the risks associated with these vulnerabilities. By following the recommended best practices and ensuring their systems are up-to-date, users can better protect their networks from potential attacks.

Leave a Comment

Your email address will not be published. Required fields are marked *