Sophos has released hotfixes to address three security flaws in Sophos Firewall products that could be exploited to achieve remote code execution and allow privileged system access under certain conditions.
Of the three, two are rated Critical in severity. There is currently no evidence that the shortcomings have been exploited in the wild. The list of vulnerabilities is as follows –
- CVE-2024-12727 (CVSS score: 9.8) – A pre-auth SQL injection vulnerability in the email protection feature that could lead to remote code execution, if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode.
- CVE-2024-12728 (CVSS score: 9.8) – A weak credentials vulnerability arising from a suggested and non-random SSH login passphrase for High Availability (HA) cluster initialization that remains active even after the HA establishment process completed, thereby exposing an account with privileged access if SSH is enabled.
- CVE-2024-12729 (CVSS score: 8.8) – A post-auth code injection vulnerability in the User Portal that allows authenticated users to gain remote code execution.
The security vendor said CVE-2024-12727 impacts about 0.05% of devices, whereas CVE-2024-12728 affects approximately 0.5% of them. All three identified vulnerabilities impact Sophos Firewall versions 21.0 GA (21.0.0) and older. It has been remediated in the following versions –
- CVE-2024-12727 – v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v20 MR2, v20 MR3, v19.5 MR3, v19.5 MR4, v19.0 MR2)
- CVE-2024-12728 – v20 MR3, v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v20 MR2)
- CVE-2024-12729 – v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v20 MR2, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v19.0 MR3)
To ensure that the hotfixes have been applied, users are being recommended to follow the below-mentioned steps –
- CVE-2024-12727 – Launch Device Management > Advanced Shell from the Sophos Firewall console, and run the command “cat /conf/nest_hotfix_status” (The hotfix is applied if the value is 320 or above)
- CVE-2024-12728 and CVE-2024-12729 – Launch Device Console from the Sophos Firewall console, and run the command “system diagnostic show version-info” (The hotfix is applied if the value is HF120424.1 or later)
As temporary workarounds until the patches can be applied, Sophos is urging customers to restrict SSH access to only the dedicated HA link that is physically separate, and/or reconfigure HA using a sufficiently long and random custom passphrase.
Another security measure that users can take is to disable WAN access via SSH, as well as ensure that User Portal and Webadmin are not exposed to WAN.
The development comes a little over a week after the U.S. government unsealed charges against a Chinese national named Guan Tianfeng for allegedly exploiting a zero-day security vulnerability (CVE-2020-12271, CVSS score: 9.8) to break into about 81,000 Sophos firewalls across the world.
