Search This Blog

Malicious Actors Exploit Zero-Day RCE Bug in Sophos Firewall

The vulnerability was spotted in the User Portal and Webadmin of Sophos Firewall.

 

Sophos, security software and hardware vendor published a patch update for its firewall product after it identified that hackers were exploiting a new critical zero-day vulnerability to target its users' network. 

The vulnerability tracked as CVE-2022-3236 was spotted in the User Portal and Webadmin of Sophos Firewall, its exploitation can lead to code execution (RCE). 

“A code injection vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall. The vulnerability has been fixed,” the company stated. “Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region. We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate.” 

The company says it has released hotfixes for Sophos Firewall versions affected by this security bug (v19.0 MR1 (19.0.1) and older) that will roll out automatically to all instances since automatic updates are enabled by default. 

The firm fixed the vulnerability with the released Firewall v19.0 MR1 (19.0.1) and older, and also offered a solution by advising customers not to expose User Portal, and Webadmin to WAN and to disable WAN access to the User Portal and Webadmin. The company also recommended employing VPN and/or Sophos Central (preferred) for remote access and management.

"Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central (preferred) for remote access and management," the company added. 

Earlier this year in March, Sophos fixed an identical critical vulnerability, tracked as CVE-2022-1040, identified in the User Portal and Webadmin areas of Sophos Firewall. The vulnerability received a CVSS score of 9.8 and affected Firewall versions 18.5 MR3 (18.5.3) and older. The security bug was reported to the security firm by an anonymous threat analyst via its bug bounty program. 

A remote hacker with access to the Firewall’s User Portal or Webadmin interface can exploit the vulnerability to circumvent authentication and execute arbitrary code to target multiple organizations.

Volexity researchers investigated the security vulnerability and disclosed that a Chinese APT group they track as DriftingCloud, exploited CVE-2022-1040 since early March, a little over three weeks before Sophos issued a patch. The hackers employed a zero-day exploit to drop a web shell backdoor and target the customer’s staff.
Share it:

Firewall

RCE

Vulnerabilities and Exploits

Web Admin

Zero Day Attack