September 25, 2022

Sophos Patches an Actively Exploited RCE Firewall Vulnerability

Sophos has released a security advisory addressing a critical remote code Injection vulnerability affecting several firewall models, allowing unauthenticated attackers to preform remote code execution.

The Vulnerability

• CVE-2022-3236 (CVSS:9.8 – critical) – A remote code injection vulnerability in the User Portal and Webadmin components, affects Sophos Firewall versions 19.0 MR1 (19.0.1) and earlier.
  Successful Exploitation could allow an attacker to gain full access to devices and the internal corporate networks, leading to remote code execution.

Vulnerable Products

The following Sophos firewall series are affected:

• v19.0 GA, MR1, and MR1-1
• v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4
• v18.0 MR3, MR4, MR5, and MR6
• v17.5 MR12, MR13, MR14, MR15, MR16, and MR17
• v17.0 MR10

Mitigation

CYREBRO recommends implementing the latest available hotfixes and patches for relevant products as described in the official advisory.

Please note that if the “Allow automatic installation of hotfixes” setting in Sophos Firewall is enabled (it is enabled by default), no further action is required.

Workaround

If mitigation is currently impossible, disable WAN access to the User Portal and ‘Webadmin’ by following device access best practices and instead use VPN and/or Sophos Central for remote access and management.

References: Sophos Advisory