Skip to content

Search the site

A critical Sophos firewall RCE bug is under active attack. Patch now.

Pre-auth RCE has been exploited in the wild...

A critical Sophos firewall vulnerability is being exploited in the wild the security vendor said Monday. CVE-2022-1040 -- with a CVSS score of 9.8 -- impacts Sophos Firewall versions up to 18.5 MR3 (18.5.3).

That means even the most recent versions of the firewall (pre-patching) are affected.

The Sophos fireware vulnerability was reported via a bug bounty programme. A patch is available. The bug has been used to target what Sophos described as "a small set of specific organisations" mostly in South Asia.

The authentication bypass vulnerability affects the User Portal and Webadmin and gives RCE.

The firewall has "allow automatic installation of hotfixes" set up as its default setting so some organisations will have had the patch installed automatically. Many organisations may have that turned off however to avoid the standard change management issues resulting from software updates that many organisations suffer.

(Among recent fixed bugs in the latest Sophos firewall release -- as seen in its release notes -- were fixes for an issue that caused the Veeam agent to be unable to connect with the Veeam server; the Sophos Firewall OS crashing after a restart and a massive surge in memory useage, as just a small handful of examples...)

The company has also shipped patches for end-of-life unsupported versions 17.5 MR12 through MR15, 18.0 MR3 and MR4, and 18.5 GA in a welcome move that also suggests how severe the bug is.

Read: NASA warned on insider threats, after Raspberry Pi incident

Sophos noted that customers can protect themselves from external attackers by ensuring their User Portal and Webadmin are not exposed to WAN, urging them to disable WAN access to the User Portal and Webadmin by following device access best practices and instead using a VPN and/or Sophos Central for remote access and management. Users can confirm that the hotfix has been applied by referring to KB-000043853.

(In earlier release notes the company urged users deploying a VPN to manage their Sophos Firewall to switch to its new Sophos ZTNA zero trust offering for connecting remote workers, noting that "remote access VPN provides zero insights into which applications users are accessing, while ZTNA can provide real-time status and activity for all your applications proving invaluable in identifying potential issues and performing licensing audits..." )

The Sophos firewall vulnerability fix comes amid what has been by many standards a comparatively quiet start to the year when it comes to critical software vulnerabilities -- with Patch Tuesdays to-date having been light.

Arguably the most severe bug of the year to-date was CVE-2022-22536 -- a critical SAP vulnerability with a maximum CVSS score of 10 that can be exploited through a simple unauthenticated HTTP(S) request and which affects the vast majority of SAP customers —  affected SAP components are intended, by design, to be exposed to the internet.

Admins taking a moment to check broad exposure and who missed January's PwnKit vulnerability should also review patches on that front. The critical vulnerability is in a programme installed by default on every major Linux distribution and gives any unprivileged user the ability to easily gain root access in a potential nightmare for security teams hoping to prevent lateral movement by hackers who have gained a toe-hold in their systems. The vulnerability is in polkit’s pkexec, a SUID-root programme that’s ubiquitous across Linux boxes and used to control system-wide privileges in Unix-like operating systems. There are working POCs in the wild. That bug has been allocated CVE-2021-4034.

See also: US Agencies given two weeks to patch 100+ exploited vulns — but who’s forcing compliance?