Vulnerability in Sophos firewall
This live blog contains information regarding a vulnerability in Sophos firewalls. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on March 28, 2022.
T-Update
This live blog contains information regarding a vulnerability in Sophos firewalls. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on March 28, 2022.
Update March 28, 2022
12:00 | Recently, a critical vulnerability in Sophos firewalls was published which allows for remote code execution (RCE). This vulnerability is present in the user portal and web admin interfaces of Sophos firewalls. The vulnerability has been assigned the CVE reference CVE-2022-1040 and is relevant for firewall versions v18.5 MR3 (18.5.3) and older.
We advise users to investigate if their systems are vulnerable, and if so, to update the systems as soon as possible.
Background
The vulnerability CVE-2022-1040 has a CVSS-score of 9.8. The CVSS scale runs from 0 to 10, where a score of 9.8 or higher is considered rare and is usually reserved for vulnerabilities with a high chance of exploitation with high impact. This vulnerability allows an attacker to directly send malicious requests to run arbitrary code on the system. Successful misuse of this vulnerability can allow the attacker to fully take over the system. The vulnerability was reported via the Sophos bug bounty program by an external security expert. The vulnerability has since been resolved by Sophos.
Risk
Sophos firewall versions v18.5 MR3 (18.5.3) and older are vulnerable. Sophos has created a page with more information to help verify if the hotfix has been applied. Sophos advises their customers to apply the hotfixes immediately. Customers making use of the setting ‘Allow automatic installation of hotfixes’ do not need to perform any manual actions.
Workaround
As a workaround, Sophos advises disabling external access to both the user portal and the web admin interfaces. Sophos refers to their best practices regarding access to these interfaces. Additionally, they advise users to only perform remote admin via a Sophos Central or a VPN connection.
Advice
Sources
Sign up to receive T-Updates
Receive the latest vulnerabilities in your email every Wednesday
More than 1,000 organisations have already joined us.
