Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Details Disclosed for Critical Vulnerability in Sophos Appliances

Organizations using security appliances from Sophos have been advised to make sure their devices are up to date after a researcher disclosed the details of a critical vulnerability patched last year.

Organizations using security appliances from Sophos have been advised to make sure their devices are up to date after a researcher disclosed the details of a critical vulnerability patched last year.

Sophos informed customers in September 2020 that it had patched a remote code execution flaw affecting the web administration console (WebAdmin) of SG UTM devices. The issue, tracked as CVE-2020-25223, was reported to the cybersecurity firm by an external researcher, and it was fixed with the release of SG UTM v9.705 MR5, v9.607 MR7, and v9.511 MR11.

Sophos SG UTM vulnerability disclosedHowever, it appears that not all Sophos customers have patched their devices. During a recent client engagement, Justin Kennedy, research consulting director at information security consultancy Atredis Partners, noticed that the customer’s UTM devices had been running a vulnerable version of the software.

Kennedy compared the differences between the patched and unpatched versions of the software, which enabled him to identify the root cause of the vulnerability.

Last week, the researcher published a blog post detailing how CVE-2020-25223 can be exploited by a remote, unauthenticated attacker for arbitrary code execution with root privileges on a Sophos appliance.

Sophos said in an emailed statement that it’s not aware of any malicious attacks leveraging this vulnerability. However, Kennedy told SecurityWeek that “it would be incredibly easy for an attacker to exploit the vulnerability in a real world environment.”

In order to exploit CVE-2020-25223, all an attacker needs to do is send a single HTTP request. If the WebAdmin interface is exposed to the internet, it may be possible for an attacker to exploit the vulnerability directly from the web.

Kennedy said the Shodan search engine identified over 3,100 systems that appear to expose the WebAdmin interface, but it’s unclear how many of them are actually vulnerable.

He also noticed more than 95,000 instances that have the title “User Portal” instead of “WebAdmin,” but he has not checked if it’s possible to exploit the vulnerability or reach the exploitable path via the User Portal.

Advertisement. Scroll to continue reading.

Asked if he is concerned about the information in his blog post being abused by malicious actors, the researcher noted that “if malicious actors wanted to exploit unpatched systems affected by the vulnerability, they’ve had more than enough time to discover the vulnerability details and exploit those systems.”

He has advised organizations to check if they are still affected by this vulnerability, and if they are, to patch their systems and then review their patching policies to identify the gaps that allowed a critical vulnerability to remain unpatched for nearly a year.

Commenting on Kennedy’s blog post, Sophos said, “The additional detail in the blog raises awareness about how important it is for organizations to constantly update and patch their software. The emphasis we want underscore is that updating, and patching is a critical security best practice that organizations of all sizes need to build into their ongoing maintenance routines.”

It’s important that organizations don’t ignore these recommendations as threat actors exploiting vulnerabilities in Sophos products is not unheard of.

Related: Sophos Patches Privilege Escalation Flaws in SafeGuard Products

Related: Hackers Attempted to Deploy Ransomware in Attacks Targeting Sophos Firewalls

Related: Critical Flaw in Sophos Cyberoam Appliances Allows Remote Code Execution

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.