Sophos Releases Critical Advisory for Sophos Firewall

Critical vulnerabilities could lead to SQL injection, unauthorised access, or RCE

Threat ID:: CC-4595
Threat Severity:: Medium
Published:: 23 December 2024 2:22 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Critical vulnerabilities could lead to SQL injection, unauthorised access, or RCE

Affected platforms

The following platforms are known to be affected:

Versions: v21.0 GA (21.0.0) and earlier

Sophos Firewall

Threat details

SSL-VPN and firewall appliances are popular targets for attackers

SSL-VPN and firewall appliances are internet-facing by design and are frequently targeted by attackers. Vulnerabilities in SSL-VPN and firewall appliances are often exploited soon after official disclosure so organisations are urged to apply security updates as soon as practicable.

Introduction

Sophos has released a critical advisory addressing two critical and one high severity vulnerability in its firewall product, simply known as Sophos Firewall.

CVE-2024-12727 is a pre-authentication SQL injection vulnerability in the email protection feature which could allow an attacker to achieve remote code execution (RCE) and access to the reporting database. CVE-2024-12727 has a CVSSv3 score of 9.8 and affects firewalls with a specific configuration where Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability mode.
CVE-2024-12728 is a weak credentials vulnerability with a CVSSv3 score of 9.8. The suggested and non-random Secure Shell (SSH) login passphrase for High Availability configuration remains active after initialisation, potentially exposing a high privileged system account.
CVE-2024-12729 has a CVSSv3 score of 8.8 and is a code injection vulnerability in the User Portal. If exploited, an authenticated attacker could achieve RCE.

Remediation advice

Affected organisations are encouraged to review the Sophos advisory sophos-sa-20241219-sfos-rce and apply the relevant hotfixes as soon as is practicable.

Additional workarounds are described below.

Remediation steps

Type	Step
Guidance	CVE-2024-12728 To mitigate the issue of the SSH passphrase (used during deployment of HA ports) remaining active, organisations are encouraged to ensure that: SSH access is restricted to only the dedicated HA link that is physically separate HA is reconfigured using a sufficiently long and random custom passphrase Sophos recommends to disable WAN access via SSH and instead use VPN and/or Sophos Central for remote access and management. https://www.sophos.com/en-us/security-advisories/sophos-sa-20241219-sfos-rce
Guidance	CVE-2024-12729 Organisations can protect themselves from external attackers by ensuring their User Portal and Webadmin are not exposed to WAN. https://www.sophos.com/en-us/security-advisories/sophos-sa-20241219-sfos-rce

Type

Step

Guidance

CVE-2024-12728

To mitigate the issue of the SSH passphrase (used during deployment of HA ports) remaining active, organisations are encouraged to ensure that:

SSH access is restricted to only the dedicated HA link that is physically separate
HA is reconfigured using a sufficiently long and random custom passphrase

Sophos recommends to disable WAN access via SSH and instead use VPN and/or Sophos Central for remote access and management.

https://www.sophos.com/en-us/security-advisories/sophos-sa-20241219-sfos-rce

Guidance

CVE-2024-12729

Organisations can protect themselves from external attackers by ensuring their User Portal and Webadmin are not exposed to WAN.

https://www.sophos.com/en-us/security-advisories/sophos-sa-20241219-sfos-rce

Definitive source of threat updates

https://www.sophos.com/en-us/security-advisories/sophos-sa-20241219-sfos-rce

CVE Vulnerabilities

Status Published

CVE-2024-12727

A pre-auth SQL injection vulnerability in the email protection feature of Sophos Firewall versions older than 21.0 MR1 (21.0.1) allows access to the reporting database and can lead to remote code execution if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode.

Status Published

CVE-2024-12728

A weak credentials vulnerability potentially allows privileged system access via SSH to Sophos Firewall older than version 20.0 MR3 (20.0.3).

Status Published

CVE-2024-12729

A post-auth code injection vulnerability in the User Portal allows authenticated users to execute code remotely in Sophos Firewall older than version 21.0 MR1 (21.0.1).

Last edited: 23 December 2024 2:22 pm