Sophos was forced to backport a security update for CVE-2022-3236 for end-of-life (EOL) firewall firmware versions after discovering hackers actively exploiting the flaw in attacks.
The flaw is a code injection problem in the User Portal and Webadmin of Sophos Firewall, allowing remote code execution.
Sophos fixed the security issue in September 2022 when it warned about active exploitation in the wild, impacting versions 19.0.1 and older.
Although the hotfix was automatically rolled out to appliances set to auto-accept security updates by the vendor, by January 2023, over 4,000 internet-exposed appliances remained vulnerable to attacks.
Many of these appliances were older devices running end-of-life firmware that had to apply mitigations or manually apply the hotfix, and hackers have taken advantage of this gap.
“In December 2023, we delivered an updated fix after identifying new exploit attempts against this same vulnerability in older, unsupported versions of the Sophos Firewall,” reads the updated security bulletin.
“We immediately developed a patch for certain EOL firmware versions, which was automatically applied to the 99% of affected organizations that have ‘accept hotfix’ turned on.”
“Attackers commonly hunt for EOL devices and firmware from any technology vendor, so we strongly recommend that organizations upgrade their EOL devices and firmware to the latest versions.”
If the auto-update option for hotfixes has been disabled, it is recommended to enable it and then follow this guide to verify that the hotfix has been applied.
Alternatively, manually update to one of the following versions of Sophos Firewall, which address CVE-2022-3236:
- v19.0 GA, MR1, and MR1-1
- v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4
- v18.0 MR3, MR4, MR5, and MR6
- v17.5 MR12, MR13, MR14, MR15, MR16, and MR17
- v17.0 MR10
- v19.0 GA, MR1, and MR1-1
- v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4
- v17.0 MR10
If you are using an even older version of the Sophos Firewall, you are advised to upgrade to one of the releases listed above.
For cases where updating is impossible, the recommended workaround is to restrict WAN access to the User Portal and Webadmin by following these instructions and instead use VPN or Sophos Central for remote access and management.