Sophos users must ensure that their firewall devices are updated with the latest updates, as the vendor addresses several security vulnerabilities. Exploiting these vulnerabilities could allow various malicious actions, including code execution attacks.
Multiple Vulnerabilities Patched In Sophos Firewall
According to its recent advisory, Sophos addressed at least three vulnerabilities in the Sophos Firewall. Specifically, these vulnerabilities include,
- CVE-2024-12727 (critical severity; CVSS 9.8): an SQL injection vulnerability affecting the email protection feature. This pre-auth vulnerability could let an adversary gain access to the target Firewall’s reporting database and perform remote code execution attacks. Exploiting this vulnerability requires the firewall to run in High Availability (HA) mode with a specific Secure PDF eXchange (SPX) configuration enabled.
- CVE-2024-12728 (critical severity; CVSS 9.8): This vulnerability existed due to weak credentials, allowing an adversary to gain elevated privileges via SSH to the target Sophos Firewall.
- CVE-2024-12729 (high severity; CVSS 8.8): A post-auth code injection vulnerability in the User Portal. Exploiting the flaw could let an authenticated adversary execute codes on the target device.
Of these, two vulnerabilities, CVE-2024-12727 and CVE-2024-12729, caught the attention of external security researchers, who then reported the flaws to Sophos via the firm’s bug bounty program. Sophos’ internal researchers noticed the third vulnerability.
These vulnerabilities affected Sophos Firewall v21.0 GA (21.0.0) and older. The firm patched all of them, initially releasing hotfixes. Later, they rolled out the patches with v20 MR3, v21 MR1, and newer versions. The service ensured the security of all vulnerable systems by keeping the hotfix installations the default. Nonetheless, users must still check their systems for possible updates with stable releases.
Besides patching the vulnerabilities, Sophos shared various mitigation strategies to protect devices where applying an immediate fix isn’t feasible. These include securing SSH access and disabling WAN access to User Portal and WebAdmin.
The firm has confirmed that it has detected no active exploitation of any of these vulnerabilities. Nonetheless, users should update their devices with security fixes as soon as possible to avoid potential threats.
Let us know your thoughts in the comments.
