Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Sophos Patches Critical Firewall Vulnerabilities

Sophos has released patches for a critical-severity firewall vulnerability that could lead to remote code execution.

Sophos firewall patches

Sophos has announced patches for a critical-severity vulnerability in its firewall products that could allow remote attackers to execute arbitrary code without authentication.

Tracked as CVE-2024-12727 (CVSS score of 9.8), the issue is described as an SQL injection bug affecting the email protection feature. The flaw enables attackers to access the reporting database of the firewalls.

The bug can be exploited for remote code execution (RCE) “if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode”.

According to Sophos’ advisory, the flaw affects firewall product versions prior to 21.0 MR1 (21.0.1) and affects only 0.05% of devices.

Last week, the company announced hotfixes for versions 21 GA, 20 GA, 20 MR1, 20 MR2, 20 MR3, 19.5 MR3, 19.5 MR4, and 19.0 MR2 of its firewall products. The fixes were included in Sophos Firewall version 21.0 MR1 as well.

The updated iteration also addresses CVE-2024-12728 (CVSS score of 9.8), a weak credentials defect for which hotfixes were released in late November.

“The suggested and non-random SSH login passphrase for High Availability (HA) cluster initialization remained active after the HA establishment process completed, potentially exposing a privileged system account on the Sophos Firewall if SSH is enabled, affecting approximately 0.5% of devices,” Sophos explains.

To mitigate the flaw, users should restrict SSH access to “only the dedicated HA link that is physically separate”, or reconfigure the HA “using a sufficiently long and random custom passphrase”. They should also disable WAN access via SSH.

Advertisement. Scroll to continue reading.

Additionally, patches were released for CVE-2024-12729 (CVSS score of 8.8), a code injection vulnerability in the User Portal that could allow authenticated attackers to execute arbitrary code remotely.

To prevent the exploitation of this bug, users should disable WAN access to the User Portal and Webadmin, Sophos says.

“Sophos has not observed these vulnerabilities to be exploited at this time,” the company notes.

Threat actors exploiting Sophos firewall vulnerabilities, including zero-days, is not unheard of. The US recently charged and sanctioned a Chinese man accused of being involved in a sophisticated threat group’s attacks on Sophos firewalls.  

Related: CISA Releases Mobile Security Guidance After Chinese Telecom Hacking

Related: Sophos, ReversingLabs Release 20 Million Sample Dataset for Malware Research

Related: Malware Attack Takes ISS World’s Systems Offline

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

MorganFranklin Cyber has appointed Keith Hollender as CEO and member of the Board of Directors.

Lisa Banks has been named Chief Financial Officer at Abnormal Security.

Threat detection and response company Trellix has appointed Vishal Rao as its new CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.