Updated on 2022-09-24: Sophos Releases Patch and Workaround for Zero-Day Code Injection Flaw in Sophos Firewall
Sophos has released a fix for a code injection vulnerability in the User Portal and Webadmin components of Sophos Firewall. The flaw is being actively exploited. Customers who have enabled the “allow automatic installation of hotfixes” feature do not need to take action. The flaw affects Sophos Firewall v19.0 MR1 [19.0.1] and older. Sophos has also suggested disabling WAN access to the vulnerable components as a workaround.
- My usual advise applies: Patch, but also make sure that you are not exposing these web-based admin interfaces to the world. I doubt that this will be the last vulnerability to be found in a web-based firewall/router/VPN admin interface.
- This flaw is noted in the CISA KEV catalog. You have until Oct 14th to fix it. The flaws are in the User Portal and Webadmin services. A workaround is to not expose these services to the Internet. You need to do both, don’t expose those to the WAN and apply the update.
- In this case “allow” is the safe choice and should be the default. We simply have not seen sufficient cases where updates have caused problems to justify the alternative.
Read more in
Sophos fixed a zero-day vulnerability (CVE-2022-3236) in its enterprise firewall product that was actively exploited across the South Asia region. The security vendor described the issue as a code injection vulnerability that can allow remote code execution via the firewall’s web interface. The company released a firmware patch and promised to publish a thorough report as it investigates the ongoing attacks. Read more: Resolved RCE in Sophos Firewall (CVE-2022-3236)
There appears to be a very particular actor targeting a specific region’s Sophos systems, but again, configure that shit securely and you bought yourself time…
— nluedtke (@nluedtke1) September 24, 2022