Sophos released a security advisory to address three vulnerabilities impacting Sophos Firewall products. Tracked as CVE-2024-12727, CVE-2024-12728, & CVE-2024-12729, the vulnerabilities may lead to remote code execution and information disclosure.
Sophos Firewall is a network security platform that offers a range of features to protect the network from threats and simplify cybersecurity.
CVE-2024-12727
The SQL injection vulnerability has a critical severity rating with a CVSS score of 9.8. A pre-auth SQL injection vulnerability in Sophos Firewall’s email protection feature could allow remote code execution if Secure PDF eXchange (SPX) is enabled and the firewall runs in High Availability (HA) mode.
CVE-2024-12728
The vulnerability has a critical severity rating with a CVSS score of 9.8. A suggested, non-random SSH login passphrase used during the High Availability (HA) cluster setup remained active after completion. Successful exploitation of the vulnerability may expose a privileged system account on the Sophos Firewall with SSH enabled.
CVE-2024-12729
The post-auth code injection vulnerability exists in the User Portal. Successful exploitation of the vulnerability may allow authenticated users to gain remote code execution.
Affected Versions
The vulnerability affects Sophos Firewall versions v21.0 GA (21.0.0) and older.
Mitigation
Customers must upgrade to Sophos Firewall version 21 MR1 or later to patch the vulnerabilities.
Please refer to the Sophos Security Advisory (sophos-sa-20241219-sfos-rce) for more information.
Workaround
For CVE-2024-12728:
To mitigate the issue of the SSH passphrase (used during deployment of HA ports) remaining active, customers can ensure that:
- SSH access is restricted to only the dedicated HA link that is physically separate and/or
- HA is reconfigured using a sufficiently lengthy and random custom passphrase.
Sophos recommends disabling WAN access to the User Portal and Webadmin by following device access best practices and instead using VPN and/or Sophos Central for remote access and management.
For CVE-2024-12729:
Customers can protect themselves from external attackers by ensuring their User Portal and Webadmin are not exposed to WAN.
Sophos recommends disabling WAN access to the User Portal and Webadmin by following device access best practices and instead using VPN and/or Sophos Central for remote access and management.
Qualys Detection
Qualys customers can scan their devices with QIDs 732129 and 731130 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.sophos.com/en-us/security-advisories/sophos-sa-20241219-sfos-rce