Sophos Fixes Critical Remote Code Execution Flaw in Firewall Products

Security

Sophos has released an emergency update to patch a critical security flaw in its firewall product line. The company explained in its security advisory that the vulnerability, tracked under CVE-2022-1040, when exploited could allow for remote code execution (RCE) on targeted machines.

According to Sophos, this remote code execution vulnerability was first discovered by an external security researcher and it was reported via its bug bounty program. Essentially, the cybersecurity firm said that this security flaw is caused by an authentication bypass bug present in the User Sortal and Webadmin Sophos Firewall access points. The vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.8, and it specifically affects Sophos Firewall v18.5 MR3 (18.5.3) and older.

Fortunately, Sophos has already rolled out an automatic update to patch the remote code execution vulnerability on systems with the “Automatic installation of hotfixes” feature enabled. However, the company recommends that all Sophos Firewall users who are still running older software versions should install the latest updates as soon as possible.

“There is no action required for Sophos Firewall customers with the “Allow automatic installation of hotfixes” feature enabled. Enabled is the default setting,” Sophos explained in its security advisory.

Sophos Fixes Critical Remote Code Execution Flaw in Firewall Products

Sophos suggests a workaround to prevent remote code execution attacks

Sophos also suggested a possible workaround for customers looking to block remote code execution attempts by threat actors via the User Portal and Webadmin. The company recommends that organizations disable Wide area network (WAN) access and instead use a virtual private network (VPN) or Sophos Central to secure remote connections.

“Customers can protect themselves from external attackers by ensuring their User Portal and Webadmin are not exposed to WAN. Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central for remote access and management,” Sophos added.

In addition to this new remote code execution vulnerability, Sophos patched two high severity security flaws impacting the Sophos UTM threat management appliance. The first security issue (CVE-2022-0386) is basically a post-auth SQL injection vulnerability. However, the second one, which is being tracked by Sophos under CVE-2022-0652, is a bug related to insecure access permissions.