More than 4,000 Sophos firewall devices exposed to the Internet are vulnerable to a critical vulnerability that enables hackers to run malicious code on the target device.
This code injection vulnerability, Tracked as CVE-2022-3236It was detected and patched by security software provider Sophos in September. The company revealed at the time that the flaw was being exploited by miscreants to target a small group of select organizations, mostly in the South Asian region.
CVE-2022-3236 has a severity rating of 9.8 out of 10 and affects user portal and Webadmin firewall components on versions 19.0 MR1 (19.0.1) and earlier.
If successfully exploited, the bug enables remote code execution (RCE) on compromised installations.
When Sophos disclosed the bug in September, it released hotfixes for multiple versions of Sophos Firewall. Three months later, in December 2022, Sophos announced official fixes for the defect. The company advised users of older versions of Sophos Firewall to update their software to receive the latest security protections.
According to a new analysis by security firm VulnCheck, more than 4,000 servers are using Sophos Firewall. Still subject to CVE-2022-3236. This makes up about 6% of all Sophos firewalls, VulnCheck said, citing data from Shodan research.
According to VulnCheck researcher Jacob Baines, more than 99% of Sophos Internet-facing firewalls have not yet been updated to versions that contain the official patch of CVE-2022-3236. Of all firewall users, 93% use versions that qualify for a hotfix, and the default firewall setting is to automatically download and install hotfixes – unless disabled by your administrator.
Almost all servers eligible for a hotfix likely received one, though bugs did occur. That still leaves more than 4,000 firewalls (or about 6% of Sophos Internet-facing firewalls) running versions that don’t receive a hotfix. So they are at risk.”
Fortunately, the proof-of-concept exploit for CVE-2022-3236 has not been announced online yet, despite the fact that the vulnerability has already been exploited as ground zero.
Baines said he was able to recreate a working exploit using Technical details brought forward by Trend Micro’s Zero Day Initiative (ZDI), making it likely that other players could do the same soon.
If the exploit code becomes available, it will almost certainly lead to a new round of attacks.
Baines advised Sophos firewall customers to keep their firewalls patched. He added that Sophos Firewall’s default requirement for web clients to complete a CAPTCHA during authentication may prevent widespread exploitation of the vulnerability.
Attackers would need to include an automated CAPTCHA solver to bypass this restriction and gain access to the vulnerable code. “A failed CAPTCHA will result in a failed exploit,” he said.
Although this is not impossible, most attackers find it difficult to solve it programmatically captcha.
Patching Sophos firewall vulnerabilities is vital, since this isn’t the first time such a vulnerability has been exploited in the wild.
In March 2022, Sophos released a fix for a major security vulnerability in the User Portal and Webadmin modules of Sophos Firewall that allowed authentication bypass and arbitrary code execution attacks.
The bug, which has been tracked as CVE-2022-1040, has been used to target several entities in South Asia.
At least three Chinese state-backed groups have used this vulnerability to gain unauthorized initial access to victims’ networks.
In its own analysis published in June, Sophos said that at least two advanced persistent threat groups exploited CVE-2022-1040 before the company could provide a fix for the vulnerability.