Sophos has identified a remote code execution vulnerability tracked as CVE-2022-3236. This vulnerability affects the User Portal and Webadmin components of Sophos Firewalls. Upon a successful exploitation, a threat actor can gain root privileges and deploy a ransomware attack. Barracuda MSP recommends updating to the latest Sophos Firewall security patch to resolve this vulnerability.
What is the threat?
A remote code execution vulnerability exists in the User Portal and Webadmin of Sophos Firewall software version 19.0 MR1 (19.0.1) and older. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the internet. Attackers who successfully execute this remote code can gain root privileges to the user or organization’s devices remotely. This vulnerability has been categorized as critical and it has been associated with previous zero-day flaws.
Why is it noteworthy?
This vulnerability impacts every organization who are using Sophos Firewall. Once bad actors successfully execute the remote code, they will have access to wreak havoc in a business environment. When news of vulnerability such as this becomes public, attackers will accelerate their attacks, while the attack window is still available.
What is the exposure or risk?
When exploited, this vulnerability allows an attacker to have complete and unrestricted access to the devices running Sophos Firewall versions v19.0 MR1 (19.0.1) and older. If an attacker can run remote code, they can easily install programs, exfiltrate, view, change, delete data, or create new accounts in the context allowed by the user’s rights. These privileges give the attacker the tools to conduct a ransomware event, impersonation, and obtain credential information that can lead to temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses, and potential harm to an organization’s reputation.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of an arbitrary code execution attack:
- Upgrade Sophos Firewalls to their latest version to patch this vulnerability.
- Disable WAN access to the User Portal and Webadmin by following device access best practices (linked Below) and instead use VPN and/or Sophos Central (preferred) for remote access and management.
- Keep all applications updated to enforce new security measures
- No action is required for Sophos Firewall customers with the ‘Allow automatic installation of hotfixes’ feature enabled on remediated versions
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.