Over 4,000 Sophos Firewall devices vulnerable to RCE attacks

Over 4,000 Sophos Firewall devices exposed to Internet access are vulnerable to attacks targeting a critical remote code execution (RCE) vulnerability.

Sophos disclosed this code injection flaw (CVE-2022-3236) found in the User Portal and Webadmin of Sophos Firewall in September and also released hotfixes for multiple Sophos Firewall versions (official fixes were issued three months later, in December 2022).

The company also warned the RCE bug was being exploited in the wild in attacks against organizations from South Asia.

The September hotfixes rolled out to all affected instances (v19.0 MR1 (19.0.1) and older) since automatic updates are enabled by default — unless an administrator disabled the option.

Sophos Firewall instances running older product versions had to be upgraded manually to a supported version to receive the CVE-2022-3236 hotfix automatically.

Admins who cannot patch the vulnerable software can remove the attack surface by disabling WAN access to the User Portal and Webadmin.

Thousands of devices are still vulnerable

While scanning the Internet for Sophos Firewall devices, VulnCheck vulnerability researcher Jacob Baines found that out of more than 88,000 instances, around 6% or more than 4,000 are running versions that haven’t received a hotfix and are vulnerable to CVE-2022-3236 attacks.

“More than 99% of internet-facing Sophos Firewalls haven’t upgraded to versions containing the official fix for CVE-2022-3236,” Baines said.

Luckily, despite already being exploited as a zero-day, a CVE-2022-3236 proof-of-concept exploit is yet to be published online.

However, Baines was able to reproduce the exploit from technical information shared by Trend Micro’s Zero Day Initiative (ZDI), so it is likely that threat actors will soon be able to.

When and if this happens, that will most likely lead to a new wave of attacks as soon as threat actors create a fully working version of the exploit and add it to their tool set.

Baines also added that mass exploitation would likely be hindered by Sophos Firewall requiring web clients by default “to solve a captcha during authentication.”

To workaround this limitation and reach the vulnerable code, attackers must include an automated CAPTCHA solver.

Sophos Firewall CAPTCHA challenge
Sophos Firewall CAPTCHA challenge (Jacob Baines)

​Sophos Firewall bugs previously targeted in attacks

Patching Sophos Firewall bugs is critically important, given that this wouldn’t be the first time such a vulnerability is exploited in the wild.

In March 2022, Sophos patched a similar critical Sophos Firewall bug (CVE-2022-1040) in the User Portal and Webadmin modules that enabled authentication bypass and arbitrary code execution attacks.

It was also exploited in attacks as a zero-day since early March (roughly three weeks before Sophos released patches) against South Asian organizations by a Chinese threat group tracked as DriftingCloud.

A zero-day in XG Firewall SQL injection was also abused by threat actors starting in early 2020 to steal sensitive data such as usernames and passwords using the Asnarök trojan malware.

The same zero-day was exploited to deliver Ragnarok ransomware payloads onto Windows enterprise networks.

Source: BleepingComputer, VulnCheck