Sophos Releases Hotfixes for Critical Firewall Vulnerabilities

Sophos Releases Hotfixes for Critical Firewall Vulnerabilities

Sophos Releases Critical Hotfixes for Firewall Vulnerabilities

Sophos has recently announced essential hotfixes targeting three significant security vulnerabilities found in its Sophos Firewall products. These flaws could potentially allow remote code execution and privileged system access under specific conditions, making it crucial for users to address them promptly. Among these vulnerabilities, two are rated as critical, highlighting the urgency of the situation. Notably, there is currently no evidence suggesting that these vulnerabilities have been exploited in real-world scenarios.

Overview of the Security Flaws

The vulnerabilities identified by Sophos are as follows:

  • CVE-2024-12727 (CVSS Score: 9.8): This pre-auth SQL injection vulnerability in the email protection feature could lead to remote code execution, particularly when a specific configuration of Secure PDF eXchange (SPX) is enabled, alongside the firewall operating in High Availability (HA) mode.

  • CVE-2024-12728 (CVSS Score: 9.8): This weakness stems from a non-random SSH login passphrase for HA cluster initialization, which remains active even after the HA process is completed. This flaw poses a risk of exposing an account with privileged access if SSH is enabled.

  • CVE-2024-12729 (CVSS Score: 8.8): This post-authentication code injection vulnerability in the User Portal allows authenticated users to execute remote code, posing a substantial security risk.

Impact Assessment and Affected Versions

Sophos has indicated that:

  • CVE-2024-12727 affects approximately 0.05% of devices.
  • CVE-2024-12728 impacts about 0.5% of devices.

All three vulnerabilities affect Sophos Firewall versions 21.0 GA (21.0.0) and earlier versions. The hotfixes have been implemented in the following versions:

  • CVE-2024-12727: Fixed in v21 MR1 and newer, with hotfixes available for various earlier versions.
  • CVE-2024-12728: Addressed in v20 MR3, v21 MR1, and newer, with similar patch availability for older versions.
  • CVE-2024-12729: Resolved in v21 MR1 and newer, with hotfixes for previous versions.

How to Verify Hotfix Application

To ensure that the hotfixes have been successfully applied, users should follow these steps:

  • For CVE-2024-12727: Access the Sophos Firewall console, navigate to Device Management > Advanced Shell, and run the command cat /conf/nest_hotfix_status. The hotfix is confirmed if the value is 320 or above.

  • For CVE-2024-12728 and CVE-2024-12729: From the Sophos Firewall console, launch the Device Console and execute system diagnostic show version-info. The hotfix is applied if the value is HF120424.1 or later.

Recommended Temporary Workarounds

Until the hotfixes can be fully implemented, Sophos recommends the following temporary measures:

  • Restrict SSH access to only the dedicated HA link, which should be physically separate.
  • Reconfigure HA using a sufficiently long and random custom passphrase.
  • Disable WAN access via SSH.
  • Ensure that the User Portal and Webadmin are not exposed to WAN.

Conclusion

This disclosure comes shortly after the U.S. government unveiled charges against a Chinese national for exploiting a previous zero-day security vulnerability in Sophos firewalls. Given the critical nature of these newly identified flaws, it is essential for users to act swiftly to secure their systems.

If you found this article insightful, feel free to share your thoughts in the comments below or check out our related articles on cybersecurity measures and best practices. For more updates, follow us on Twitter and LinkedIn for exclusive content.

Additional Resources

Share it

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *