Sophos has released a patch for its firewall product to fix a critical remote code execution vulnerability being exploited in the wild. Tracked as CVE-2022-3236, the vulnerability was discovered in the User Portal and Webadmin of Sophos Firewall. This is a code injection vulnerability that can allow remote code execution on the affected systems.
The advisory states, “This vulnerability was being used to target a small set of specific organizations, primarily in the South Asia region. We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate.”
The advisory mentions that the hotfixes released for this vulnerability will automatically apply to the products with the “Allow automatic installation of hotfixes” feature enabled on remediated versions. As per Sophos, this setting is enabled by default. The company says that the customers with the older versions will have to upgrade to the latest version to apply the patch for the vulnerability.
CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog.
Customers ca
- Verify if the hotfix has been applied to the firewall at: https://support.sophos.com/support/s/article/KB-000044539?language=en_US
- Check the steps for enabling the automatic hotfix installation feature at: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Administration/DeviceAccess/index.html
Affected versions
This vulnerability affects the Sophos Firewall v19.0 MR1 (19.0.1) and older versions.
Workaround
To protect themselves from an external attack, customers should make sure that their User Portal and Webadmin are not exposed to WAN.
Use VPN and/or Sophos Central (recommended) for remote access and management instead of disabling WAN access to the User Portal and Webadmin by following device access best practices.
Mitigation
Sophos has released patches for this vulnerability. For more information, please refer to the Sophos Firewall security advisory.
Qualys Detection
Qualys customers can scan their devices with QID 730616 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce
