Sophos, a leading cybersecurity firm, recently announced the resolution of three critical security vulnerabilities in its Sophos Firewall product. These vulnerabilities could potentially allow attackers to execute remote code on affected systems.
These vulnerabilities, identified as CVE-2024-12727, CVE-2024-12728, and CVE-2024-12729, pose significant risks to organizations relying on Sophos Firewall for network security.
CVE-2024-12727 is a pre-authentication SQL injection vulnerability in the email protection feature of the Sophos Firewall. If exploited, it could grant attackers access to the reporting database and enable remote code execution under specific conditions, such as when the Secure PDF Exchange (SPX) feature is enabled, and the firewall operates in High Availability (HA) mode.
This issue affects approximately 0.05% of devices and was responsibly disclosed by an external security researcher through Sophos’s bug bounty program.
CVE-2024-12728: This vulnerability involves the reuse of a suggested and non-random SSH login passphrase after the HA establishment process, potentially exposing privileged system accounts if SSH is enabled. It impacts about 0.5% of devices and was discovered during Sophos’s internal security testing.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
CVE-2024-12729: A post-authentication code injection vulnerability in the User Portal allows authenticated users to execute arbitrary code. An external researcher also responsibly disclosed this.
Sophos has released hotfixes for these vulnerabilities, which are automatically applied to devices with the “Allow automatic installation of hotfixes” feature enabled. For those not using this feature, manual updates are necessary:
- CVE-2024-12727: Hotfixes were released on December 17, 2024, for various versions, with fixes included in v21 MR1 and newer.
- CVE-2024-12728: Hotfixes were published on November 26 and 27, 2024, with fixes included in v20 MR3, v21 MR1, and newer.
- CVE-2024-12729: Hotfixes were released on December 4, 5, and 10, 2024, with fixes included in v21 MR1 and newer.
For organizations unable to update immediately, Sophos provides interim workarounds:
- For CVE-2024-12728: Restrict SSH access to dedicated HA links and use long, random passphrases for HA configuration.
- For CVE-2024-12729: Disable WAN access to the User Portal and WebAdmin interfaces, using VPN or Sophos Central for remote management.
Sophos has not observed these vulnerabilities being exploited in the wild; however, the company emphasizes the importance of applying updates and following recommended mitigations to prevent potential future attacks.
Organizations are urged to ensure their Sophos Firewall is up to date to mitigate these critical vulnerabilities effectively.