Sophos has launched hotfixes to handle three safety flaws in Sophos Firewall merchandise that might be exploited to attain distant code execution and permit privileged system entry beneath sure situations.
Of the three, two are rated Vital in severity. There may be at the moment no proof that the shortcomings have been exploited within the wild. The checklist of vulnerabilities is as follows –
- CVE-2024-12727 (CVSS rating: 9.8) – A pre-auth SQL injection vulnerability within the e mail safety function that would result in distant code execution, if a particular configuration of Safe PDF eXchange (SPX) is enabled together with the firewall operating in Excessive Availability (HA) mode.
- CVE-2024-12728 (CVSS rating: 9.8) – A weak credentials vulnerability arising from a urged and non-random SSH login passphrase for Excessive Availability (HA) cluster initialization that is still energetic even after the HA institution course of accomplished, thereby exposing an account with privileged entry if SSH is enabled.
- CVE-2024-12729 (CVSS rating: 8.8) – A post-auth code injection vulnerability within the Person Portal that permits authenticated customers to achieve distant code execution.
The safety vendor mentioned CVE-2024-12727 impacts about 0.05% of gadgets, whereas CVE-2024-12728 impacts roughly 0.5% of them. All three recognized vulnerabilities influence Sophos Firewall variations 21.0 GA (21.0.0) and older. It has been remediated within the following variations –
- CVE-2024-12727 – v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v20 MR2, v20 MR3, v19.5 MR3, v19.5 MR4, v19.0 MR2)
- CVE-2024-12728 – v20 MR3, v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v20 MR2)
- CVE-2024-12729 – v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v20 MR2, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v19.0 MR3)
To make sure that the hotfixes have been utilized, customers are being really useful to observe the below-mentioned steps –
- CVE-2024-12727 – Launch Gadget Administration > Superior Shell from the Sophos Firewall console, and run the command “cat /conf/nest_hotfix_status” (The hotfix is utilized if the worth is 320 or above)
- CVE-2024-12728 and CVE-2024-12729 – Launch Gadget Console from the Sophos Firewall console, and run the command “system diagnostic show version-info” (The hotfix is utilized if the worth is HF120424.1 or later)
As momentary workarounds till the patches could be utilized, Sophos is urging prospects to limit SSH entry to solely the devoted HA hyperlink that’s bodily separate, and/or reconfigure HA utilizing a sufficiently lengthy and random customized passphrase.
One other safety measure that customers can take is to disable WAN entry through SSH, in addition to be certain that Person Portal and Webadmin are usually not uncovered to WAN.
The event comes somewhat over every week after the U.S. authorities unsealed costs towards a Chinese language nationwide named Guan Tianfeng for allegedly exploiting a zero-day safety vulnerability (CVE-2020-12271, CVSS rating: 9.8) to interrupt into about 81,000 Sophos firewalls the world over.
