Sophos has disclosed three critical vulnerabilities in its firewall product that could allow remote unauthenticated attackers to perform structured query language (SQL) injection, execute arbitrary code, and gain privileged secure shell (SSH) access to affected devices. Review the details of this Cybersecurity Threat Advisory to learn how to become protected from these vulnerabilities.
What is the threat?
The identified vulnerabilities in Sophos Firewall are:
- CVE-2024-12727: A pre-authentication SQL injection flaw in the email protection feature, which, under specific configurations involving Secure PDF eXchange (SPX) and High Availability (HA) mode, could lead to remote code execution.
- CVE-2024-12728: A weakness where the suggested, non-random SSH login passphrase for HA cluster initialization remains active post-setup, potentially exposing a privileged system account if SSH is enabled.
- CVE-2024-12729: A post-authentication code injection vulnerability in the User Portal, allowing authenticated users to execute arbitrary code remotely
These vulnerabilities could be exploited by attackers to compromise firewall security, execute malicious code, and gain unauthorized access to network resources.
Why is it noteworthy?
These vulnerabilities are significant due to their high severity scores and potential impact. CVE-2024-12727 and CVE-2024-12728 both have a CVSS score of 9.8, indicating critical risk, while CVE-2024-12729 has a score of 8.8. Exploitation could lead to full system compromise, unauthorized access, and execution of arbitrary code, undermining network security. The specific configurations required for exploitation may lead some organizations to underestimate their risk, potentially leaving them vulnerable.
What is the exposure or risk?
Organizations using the affected versions of Sophos Firewall are at risk of:
- Remote Code Execution (RCE): Attackers could execute malicious code, leading to data breaches or system disruptions.
- Unauthorized Access: Exploiting weak SSH passphrases could grant attackers privileged access, facilitating further network compromise.
- SQL Injection: Unauthorized database access could result in data theft or manipulation.
- Service Disruption: Successful exploitation may disrupt firewall operations, affecting network security and availability.
What are the recommendations?
Barracuda recommends the following actions to protect against these vulnerabilities:
- Update your Sophos firewall to the latest firmware version.
- Confirm that the automatic hotfixes have been applied by following Sophos’s verification steps.
- Limit SSH access to trusted networks and disable SSH access from the WAN to reduce exposure.
- Reconfigure HA setups using strong, random passphrases to prevent unauthorized access.
- Audit user accounts and access logs regularly for any unauthorized activities.
Reference
For more in-depth information, please visit the following link:
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.