Sophos has patched a significant flaw in its Sophos Firewall product that lets remote code execution (RCE). The authentication bypass vulnerability is tracked as CVE-2022-1040, and it appears in Sophos Firewall’s User Portal and Webadmin sections.
On Friday, Sophos published hotfixes for a significant remote code execution vulnerability that affected Sophos Firewall versions 18.5 MR3 (18.5.3) and earlier. The weakness, CVE-2022-1040 (CVSS score of 9.8), allows a remote attacker with access to the Firewall’s User Portal or Webadmin interface to circumvent authentication and execute arbitrary code.
An unknown external security researcher properly disclosed the weakness to Sophos via the company’s bug bounty program. Sophos published hotfixes to remedy the problem, which should reach most cases automatically by default. “There is no action required for Sophos Firewall customers with the ‘Allow automatic installation of hotfixes’ feature enabled. Enabled is the default setting,” clarifies Sophos in its security advisory.
According to the security advice, some older versions and end-of-life products may require human intervention (need to be handled manually). As a general solution to the flaw, customers are advised to safeguard their User Portal and Webadmin interfaces:
“Customers can protect themselves from external attackers by ensuring their User Portal and Webadmin are not exposed to WAN,” as per the advisory. “Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central for remote access and management.” Recently, Sophos also fixed two ‘High’ severity flaws (CVE-2022-0386 and CVE-2022-0652) affecting the Sophos UTM (Unified Threat Management) appliances.
Given that attackers have previously targeted weak Sophos Firewall instances, it is critical to ensure that your Sophos Firewall instances regularly receive the latest security updates and hotfixes. Users of Sophos Firewall should make sure their products are up to date. The Sophos Support page outlines how to activate automated hotfix installation and check if the hotfix for the CVE-2022-1040 patch was correctly installed. When automated hotfix installation is set, Sophos Firewall scans for hotfixes every thirty minutes and after a restart.
