Patch released to address Zero-Day RCE vulnerability in Sophos Firewall

Sophos released a new critical zero-day vulnerability in the company’s firewall product, a security software company. Attackers were misusing this new vulnerability to assault customer networks. The company User Portal and Webadmin have a code injection vulnerability that allows remote code execution. 

The company has mainly distinguished the vulnerability used to mark a small group of organizations in the South Asian Region. A notification was sent to hardware and software vendors.

Customers with remediated versions of Sophos Firewall who have enabled the “Allow automatic installation of hotfixes” feature do not need to take any action. According to Sophos, we will continue investigating this issue and provide further details.

Who is Sophos?

Sophos is a British Security software and hardware company that has tracked the flaw in the product of Firewall. The company creates products for communication endpoint, encryption, network security, and unified threat management. It mainly provides security software to 1 to 5000-seat enterprises.

What vulnerability was found?

Sophos Firewall versions 19.0 and older are vulnerable to an attack via CVE-2022-3236 via the User Portal or WebAdmin. However, the CVSS severity score is issued. Sophos said that it allows for remote code execution and considers it critical.

Furthermore, the company said, “They have discovered this vulnerability put in use to attack a small portion of the enterprises, mainly in the South Asian Region.”

A hotfix was released for supported versions (v17.0 through v19.0) and a workaround that disabled WAN access for WebAdmin and the User Portal.

How can you be secured?

As a workaround, the suggestion was that users ensure that the User Portal and Webadmin are not unveiling to WAN. However, users can upgrade to modern protections and the appropriate fixes. Sophos Firewall vulnerabilities are now under active attack for the second time in a year. In March, another vulnerability (CVE-2022-1040) was exploited to attack South Asian organizations.

A Chinese advanced persistent threat (APT) called DriftingCloud was linked to the attack campaign in June 2022, according to cybersecurity firm Volexity. There has also been an attempt to smuggle sensitive information from Sophos firewall appliances using a trojan called Asnarök.

A more proactive approach

Organizations should look for these vulnerabilities and remediate them as a permanent solution. TAC Security’s ESOF VMDR platform has a vulnerability scanner that constantly scans and detects the assets’ vulnerabilities, threats and risks. It allows forward-looking organizations to do the vulnerability analysis of every asset in their entire IT stack. 

TAC Security’s ESOF VMDR helps in empowering your complete IT structure:-

• Explore the risks and get to know the cyber risk score.
• Know your Top 5 vulnerabilities and Bussiness Units
• A one-click notification lets you know if there are possible zero-day vulnerabilities associated with your asset.
• Examine vulnerabilities, and prevent assets from malignant activities
• With ESOF VMDR, you can protect all files downloaded across the organization in real-time.

It’s your Security. Make sure to take control of it

Download the DataSheet of ESOF VMDR