Sophos Patches Critical RCE Bug Exploited in the WildTargets Are a Small Set of Specific Organizations Primarily in South Asia
Sophos says it has provided a fix to a critical RCE bug known to be actively exploited primarily in South Asia. Sophos says no action is required by its Firewall customers if the "Allow automatic installation of hotfixes" feature is enabled. Although this feature is enabled by default, versions close to their end of life receive hotfixes that need manual configuration.
The vulnerability, which is now tracked as CVE-2022-1040, has a CVSS rating of 9.8 and was reported to Sophos responsibly by an unnamed external security researcher through its bug bounty program, Sophos says in its security advisory.
The bug is an authentication bypass vulnerability in the User Portal and Webadmin of Sophos Firewall and allows a remote attacker to execute code in all of its versions prior to v18.5 MR3 (18.5.3).
Sophos did not mention the names of the organizations that were targeted, but with a high confidence disclosed the region to which they belong. "Sophos has observed this vulnerability being used to target a small set of specific organizations primarily in the South Asia region. We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate," it says in the advisory.
Because the vulnerability is severe and has been disclosed in the open by Sophos, several CERTs and cyber agencies in Europe have issued alerts to check and patch the CVE-2022-1040 vulnerability manually, based on the current version installed.
Sophos has plugged a critical vulnerability in its firewall product, which could allow remote code-execution.https://t.co/hnQcppL6Zp#cyberprotect #cybersecurity #cyber #security #infosec #technews #sophos #firewall #rce #vulnerability pic.twitter.com/MWsSBEsZlF— NE Cyber Crime Unit (@nerccu) March 29, 2022
The Australian Cyber Security Center issued an alert today, asking Australian organizations to apply the necessary patches at the earliest opportunity as a precautionary measure. ACSC also confirmed that attempts at exploitation were made, but no successful incidents have yet been reported. The security alert has a "high" alert status.
❗ ALERT ❗ A vulnerability has been identified in Sophos Firewall prior to version 18.5 which could allow a malicious cyber actor to perform remote code execution. ACSC recommends affected Australian organisations apply the available patch. Advice at https://t.co/D1YDfrsMWx pic.twitter.com/1a9WnXzE13— Australian Cyber Security Centre (@CyberGovAU) March 30, 2022
The ACSC says that it "is monitoring the situation and is able to provide assistance or advice as required."
Fixes and Workarounds
The following are the hotfixes and corresponding versions - supported and unsupported - issued by Sophos:
- Hotfixes for v17.0 MR10 EAL4+, v17.5 MR16 and MR17, v18.0 MR5(-1) and MR6, v18.5 MR1 and MR2, and v19.0 EAP - published on March 23;
- Hotfixes for unsupported EOL versions v17.5 MR12 through MR15, and v18.0 MR3 and MR4 - published on March 23;
- Hotfixes for unsupported EOL version v18.5 GA - published on March 24;
- Hotfixes for v18.5 MR3 - published on March 24;
- Fix included in v19.0 GA and v18.5 MR4 (18.5.4).
Sophos says it has a possible workaround to secure User Portal and Webadmin interfaces for customers who are using end-of-life versions and those who have disabled automatic updates.
"Customers can protect themselves from external attackers by ensuring their User Portal and Webadmin are not exposed to WAN," Sophos' advisory says. "Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central for remote access and management."
Sophos has also asked users of the older version of Sophos Firewall to upgrade their products and solutions to receive the latest protections, including the current and future fixes.