Threat Update
Sophos has disclosed a critical-level authentication bypass vulnerability (CVE-2022-1040) that impacts Sophos Firewall v18.5 and below. If this vulnerability is exploited, an attacker could get unfettered access to the firewall and execute remote code at will. Barracuda MSP’s SOC recommends disabling WAN access to your user portal and Webadmin or placing these utilities behind a VPN. Additionally, Sophos has already released a patch for this exploit and recommends updating your devices immediately.
Technical Detail & Additional Information
WHAT IS THE THREAT?
CVE-2022-1040, an exploit that affects Sophos Firewall v18.5 and below, is an authentication bypass vulnerability in the Sophos User Portal and Webadmin which, when exploited, allows remote code execution (RCE) on vulnerable devices. This vulnerability was reported to Sophos through their bug bounty program, and there are no known instances of this exploit being used in the wild.
WHY IS IT NOTEWORTHY?
Sophos firewalls are common in both business and home use, and a vulnerability that affects them unilaterally is particularly dangerous. Compounding the large threat surface of all Sophos firewalls is the fact that the vulnerability itself is highly dangerous. Vulnerabilities like these can lead to remote code execution and total attacker control of the firewall. Any Sophos firewall running v18.5 or below and has WAN open to the world is vulnerable to this exploit.
WHAT IS THE EXPOSURE OR RISK?
If WAN access is enabled, an attacker can exploit this vulnerability remotely. Exploiting this vulnerability would give attackers complete control of the device, allowing them to disable the firewall, create new users, and much more. If an attacker were to have control over an organization’s firewall, they could have unlimited freedom to allow malicious traffic to come and go from the organization as they please.
WHAT ARE THE RECOMMENDATIONS?
Barracuda MSP’s SOC recommends the following actions to limit the impact of a VoIP DDoS attack:
- Customers can protect themselves against external attackers by making sure their User Portal and Webadmin aren’t exposed to the WAN.
- Disable WAN access to the User Portal and Webadmin, and instead utilize VPN and/or Sophos Central for remote access and control.
REFERENCES
For more in-depth information about the recommendations, please visit the following links:
- https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Administration/DeviceAccess/index.html
- https://www.zdnet.com/article/sophos-patches-critical-remote-code-execution-vulnerability-in-firewall-defense-product/
- https://www.bleepingcomputer.com/news/security/critical-sophos-firewall-vulnerability-allows-remote-code-execution/
- https://www.sophos.com/en-us/security-advisories/sophos-sa-20220325-sfos-rce
If you have any questions, please contact our Security Operations Center.
