Sophos has launched hotfixes to handle three safety flaws in Sophos Firewall merchandise that may very well be exploited to attain distant code execution and permit privileged system entry underneath sure situations.
Of the three, two are rated Important in severity. There’s presently no proof that the shortcomings have been exploited within the wild. The listing of vulnerabilities is as follows –
- CVE-2024-12727 (CVSS rating: 9.8) – A pre-auth SQL injection vulnerability within the e-mail safety characteristic that might result in distant code execution, if a selected configuration of Safe PDF eXchange (SPX) is enabled together with the firewall operating in Excessive Availability (HA) mode.
- CVE-2024-12728 (CVSS rating: 9.8) – A weak credentials vulnerability arising from a instructed and non-random SSH login passphrase for Excessive Availability (HA) cluster initialization that continues to be lively even after the HA institution course of accomplished, thereby exposing an account with privileged entry if SSH is enabled.
- CVE-2024-12729 (CVSS rating: 8.8) – A post-auth code injection vulnerability within the Person Portal that permits authenticated customers to realize distant code execution.
The safety vendor mentioned CVE-2024-12727 impacts about 0.05% of gadgets, whereas CVE-2024-12728 impacts roughly 0.5% of them. All three recognized vulnerabilities affect Sophos Firewall variations 21.0 GA (21.0.0) and older. It has been remediated within the following variations –
- CVE-2024-12727 – v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v20 MR2, v20 MR3, v19.5 MR3, v19.5 MR4, v19.0 MR2)
- CVE-2024-12728 – v20 MR3, v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v20 MR2)
- CVE-2024-12729 – v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v20 MR2, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v19.0 MR3)
To make sure that the hotfixes have been utilized, customers are being advisable to observe the below-mentioned steps –
- CVE-2024-12727 – Launch System Administration > Superior Shell from the Sophos Firewall console, and run the command “cat /conf/nest_hotfix_status” (The hotfix is utilized if the worth is 320 or above)
- CVE-2024-12728 and CVE-2024-12729 – Launch System Console from the Sophos Firewall console, and run the command “system diagnostic present version-info” (The hotfix is utilized if the worth is HF120424.1 or later)
As non permanent workarounds till the patches could be utilized, Sophos is urging prospects to limit SSH entry to solely the devoted HA hyperlink that’s bodily separate, and/or reconfigure HA utilizing a sufficiently lengthy and random customized passphrase.
One other safety measure that customers can take is to disable WAN entry through SSH, in addition to be certain that Person Portal and Webadmin will not be uncovered to WAN.
The event comes slightly over every week after the U.S. authorities unsealed expenses in opposition to a Chinese language nationwide named Guan Tianfeng for allegedly exploiting a zero-day safety vulnerability (CVE-2020-12271, CVSS rating: 9.8) to interrupt into about 81,000 Sophos firewalls the world over.
