Sophos has addressed three vulnerabilities in its Sophos Firewall product that would permit distant unauthenticated risk actors to carry out SQL injection, distant code execution, and acquire privileged SSH entry to gadgets.
The vulnerabilities have an effect on Sophos Firewall model 21.0 GA (21.0.0) and older, with the corporate already releasing hotfixes which can be put in by default and everlasting fixes by way of new firmware updates.
The three flaws are summarized as follows:Â
- CVE-2024-12727: A pre-authentication SQL injection vulnerability within the e-mail safety function. If a particular configuration of Safe PDF eXchange (SPX) is enabled together with Excessive Availability (HA) mode, it permits entry to the reporting database, probably resulting in RCE.
- CVE-2024-12728: The advised, non-random SSH login passphrase for HA cluster initialization stays lively after the method completes, leaving methods the place SSH is enabled susceptible to unauthorized entry on account of predictable credentials.
- CVE-2024-12729: An authenticated person can exploit a code injection vulnerability within the Consumer Portal. This permits attackers with legitimate credentials to execute arbitrary code remotely, rising the chance of privilege escalation or additional exploitation.
The firm says CVE-2024-12727 impacts roughly 0.05% of firewall gadgets with the precise configuration required for exploitation. As for CVE-2024-12728, the seller says it impacts roughly 0.5% of gadgets.
Accessible fixes
Hotfixes and full fixes have been made out there by way of varied variations and dates, as follows:Â
Hotfixes for CVE-2024-12727 can be found since December 17 for variations 21 GA, v20 GA, v20 MR1, v20 MR2, v20 MR3, v19.5 MR3, v19.5 MR4, v19.0 MR2, whereas a everlasting repair was launched in v21 MR1 and newer.
Hotfixes for CVE-2024-12728 have been launched between November 26 and 27 for v21 GA, v20 GA, v20 MR1, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, and v20 MR2, whereas everlasting fixes are included in v20 MR3, v21 MR1 and newer.
For CVE-2024-12729, hotfixes have been launched between December 4 and 10 for variations v21 GA, v20 GA, v20 MR1, v20 MR2, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v19.0 MR3, and v20 MR3, and a everlasting repair is accessible in v21 MR1 and later.
Sophos Firewall hotfixes are put in by default, however you could find directions on methods to apply them and validate that they have been efficiently put in by referring to KBA-000010084.
Sophos has additionally proposed workarounds for mitigating dangers related to CVE-2024-12728 and CVE-2024-12729 for many who can’t apply the hotfix or improve.
To mitigate CVE-2024-12728, it’s endorsed to restrict SSH entry solely to the devoted HA hyperlink that’s bodily separated from different community visitors and reconfigure the HA setup utilizing a sufficiently lengthy and random customized passphrase.
For distant administration and entry, disabling SSH over the WAN interface and utilizing Sophos Central or a VPN is mostly advisable.
To mitigate CVE-2024-12729, it’s endorsed that admins make sure the Consumer Portal and Webadmin interfaces usually are not uncovered to the WAN.
Replace 12/20/24: Up to date article to elucidate that hotfixes are put in by default.
