Sophos warns of new firewall RCE bug exploited in attacks

Sophos warned today that a critical code injection security vulnerability in the company’s Firewall product is being exploited in the wild.

“Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region,” the security software and hardware vendor warned.

“We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate.”

Tracked as CVE-2022-3236, the flaw was found in the User Portal and Webadmin of Sophos Firewall, allowing attackers to code execution (RCE).

The company says it has released hotfixes for Sophos Firewall versions affected by this security bug (v19.0 MR1 (19.0.1) and older) that will roll out automatically to all instances since automatic updates are enabled by default.

“No action is required for Sophos Firewall customers with the ‘Allow automatic installation of hotfixes’ feature enabled on remediated versions (see Remediation section below). Enabled is the default setting,” Sophos explained. 

However, the company added that users of older versions of Sophos Firewall would have to upgrade to a supported version to receive the CVE-2022-3236 patch.

It also provides detailed info on enabling the automatic hotfix installation feature and checking if the hotfix was successfully installed.

Sophos also provides a workaround for customers who cannot immediately patch the vulnerable software that will require them to ensure that the firewall’s User Portal and Webadmin are not exposed to WAN access.

“Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central (preferred) for remote access and management,” the company added.

Sophos Firewall flaws previously targeted in attacks

Patching your Sophos Firewall bugs is critically important, especially since this is not the first such flaw exploited in the wild.

For instance, Sophos patched a similar critical Sophos Firewall bug (CVE-2022-1040) in March, discovered in the User Portal and Webadmin, letting threat actors bypass authentication and execute arbitrary code. 

Just as CVE-2022-3236, it was also exploited in attacks mainly focused on organizations from South Asia. As Volexity later found, a Chinese threat group tracked as DriftingCloud exploited CVE-2022-1040 as a zero-day since early March, roughly three weeks before Sophos released patches.

DriftingCloud APT exploiting zero-day bug in Sophos Firewall
DriftingCloud APT exploiting zero-day bug in Sophos Firewall (Volexity)

Threat actors have also abused an XG Firewall SQL injection zero-day starting early 2020 with the goal of stealing sensitive data such as usernames and passwords.

As part of attacks where the zero-day was used, Asnarök trojan malware exploited it to try and steal firewall credentials from vulnerable XG Firewall instances.

The same zero-day was exploited to push Ragnarok ransomware payloads onto Windows enterprise networks.

Leave a Comment