Sophos

Over 4,000 Sophos Firewall appliances exposed to Internet access are vulnerable to attacks targeting a critical remote code execution (RCE) vulnerability.

Sophos disclosed this code injection flaw (CVE-2022-3236) found in the User Portal and Webadmin of Sophos Firewall in September and also released hotfixes for multiple Sophos Firewall versions (official fixes were issued three months later, in December 2022).

The company warned at the time that the RCE bug was being exploited in the wild in attacks against organizations from South Asia.

The September hotfixes rolled out to all affected instances (v19.0 MR1/19.0.1 and older) since automatic updates are enabled by default — unless an administrator disabled the option.

Sophos Firewall instances running older product versions had to be upgraded manually to a supported version to receive the CVE-2022-3236 hotfix automatically.

Admins who cannot patch the vulnerable software can also remove the attack surface by disabling WAN access to the User Portal and Webadmin.

Thousands of appliances still vulnerable

While scanning the Internet for Sophos Firewall devices, VulnCheck vulnerability researcher Jacob Baines found that out of more than 88,000 instances, around 6% or more than 4,000 are running versions that haven't received a hotfix and are vulnerable to CVE-2022-3236 attacks.

"More than 99% of internet-facing Sophos Firewalls haven't upgraded to versions containing the official fix for CVE-2022-3236," Baines said.

"But around 93% are running versions that are eligible for a hotfix, and the default behavior for the firewall is to automatically download and apply hotfixes (unless disabled by an administrator).

"That still leaves more than 4,000 firewalls (or about 6% of internet-facing Sophos Firewalls) running versions that didn't receive a hotfix and are therefore vulnerable."

Luckily, despite already being exploited as a zero-day, a CVE-2022-3236 proof-of-concept exploit is yet to be published online.

However, Baines was able to reproduce the exploit from technical information shared by Trend Micro's Zero Day Initiative (ZDI), so it is likely that threat actors will soon be able to as well.

When and if this happens, that will most likely lead to a new wave of attacks as soon as threat actors create a fully working version of the exploit and add it to their tool set.

Baines also added that mass exploitation would likely be hindered by Sophos Firewall requiring web clients by default "to solve a captcha during authentication."

To workaround this limitation and reach the vulnerable code, attackers would have to include an automated CAPTCHA solver.

Sophos Firewall CAPTCHA challenge
Sophos Firewall CAPTCHA challenge (Jacob Baines)

​Sophos Firewall bugs previously targeted in attacks

Patching Sophos Firewall bugs is critically important, given that this wouldn't be the first time such a vulnerability is exploited in the wild.

In March 2022, Sophos patched a similar critical Sophos Firewall bug (CVE-2022-1040) in the User Portal and Webadmin modules that enabled authentication bypass and arbitrary code execution attacks.

It was also exploited in attacks as a zero-day since early March (roughly three weeks before Sophos released patches) against South Asian organizations by a Chinese threat group tracked as DriftingCloud.

A zero-day in XG Firewall SQL injection was also abused by threat actors starting in early 2020 to steal sensitive data such as usernames and passwords using the Asnarök trojan malware.

The same zero-day was exploited to deliver Ragnarok ransomware payloads onto Windows enterprise networks.


Update January 18, 15:53 EST: Sophos sent the following statement after the article was published:

Sophos took immediate steps to remediate this issue with an automated hotfix sent out in September 2022. We also alerted users who don't receive automatic hotfixes to apply the update themselves. 

The remaining 6% of the Internet-facing versions that Baines is guestimating in his article are running old, unsupported version of the software. This is a good opportunity to remind these users, as well as all users of any type of outdated software, to follow best security practices and upgrade to the most recent version available, like Sophos does on a regular basis with its customers.

Related Articles:

ConnectWise urges ScreenConnect admins to patch critical RCE flaw

CISA tags Microsoft SharePoint RCE bug as actively exploited

Exploit released for Fortinet RCE bug used in attacks, patch now

Fortinet warns of critical RCE bug in endpoint management software

Exploit available for new critical TeamCity auth bypass bug, patch now