Sophos Releases Hotfixes for Critical Firewall Vulnerabilities

2024-12-20

Need some ammo against Sophos? Discover how vulnerabilities in their Firewall products could expose businesses and highlight the importance of comprehensive security solutions.

Sophos has released hotfixes for three vulnerabilities in its Firewall products, two of which are critical, that could allow remote code execution and privileged access. While there is no evidence of these being exploited, they impact versions 21.0 GA and older. Users are advised to update to the latest versions to mitigate these risks. Temporary workarounds include restricting SSH access and reconfiguring HA settings. The update follows recent charges against a Chinese national for exploiting a different Sophos Firewall vulnerability.

Key Facts

Risks:

Patch Management, Weak or Compromised Credentials, Web App/Website Vulnerability

Keywords:

Sophos Firewall, CVE-2024-12727, CVE-2024-12728, CVE-2024-12729, Remote Code Execution, Vulnerability Patch

CVE:

CVE-2024-12727; CVE-2024-12728; CVE-2024-12729; CVE-2020-12271

Affected:

Sophos Firewall

Article Body

Sophos Releases Critical Hotfixes for Firewall Vulnerabilities

Sophos has addressed three security vulnerabilities in its Firewall products by releasing essential hotfixes. These vulnerabilities posed significant risks, potentially allowing attackers to execute code remotely and gain privileged access to systems.

Identified Vulnerabilities

The three vulnerabilities include:

CVE-2024-12727: This is a pre-authentication SQL injection vulnerability with a critical severity score of 9.8. It affects the email protection feature when Secure PDF eXchange (SPX) is configured and the firewall is in High Availability (HA) mode. This flaw could lead to remote code execution.
CVE-2024-12728: Also critical with a severity score of 9.8, this vulnerability arises from weak credentials. During the HA cluster initialization, a suggested, non-random SSH passphrase remains active, potentially exposing an account with privileged access if SSH is enabled.
CVE-2024-12729: Rated at 8.8 in severity, this post-authentication code injection vulnerability affects the User Portal, allowing authenticated users to execute code remotely.

Impact and Affected Versions

Sophos reports that CVE-2024-12727 impacts about 0.05% of devices, while CVE-2024-12728 affects around 0.5%. All three vulnerabilities are present in Sophos Firewall versions 21.0 GA (21.0.0) and older.

Remediation

Sophos has issued hotfixes for these vulnerabilities, with updates available for the following versions:

CVE-2024-12727: Patched in v21 MR1 and newer, with hotfixes for versions down to v19.0 MR2.
CVE-2024-12728: Patched in v20 MR3, v21 MR1, and newer, with hotfixes for earlier versions down to v19.0 MR2.
CVE-2024-12729: Patched in v21 MR1 and newer, with hotfixes for earlier versions down to v19.0 MR3.

Verification Steps

To ensure the hotfixes are applied, users should:

For CVE-2024-12727, run the command cat /conf/nest_hotfix_status in the Advanced Shell. The hotfix is applied if the value is 320 or above.
For CVE-2024-12728 and CVE-2024-12729, run system diagnostic show version-info in the Device Console. The hotfix is applied if the value is HF120424.1 or later.

Temporary Workarounds

Until patches can be fully applied, Sophos advises restricting SSH access to a dedicated HA link, using a long, random passphrase for HA configurations, and disabling WAN access via SSH. Additionally, ensure that User Portal and Webadmin are not exposed to WAN.

These updates come shortly after the U.S. government's charges against a Chinese national for exploiting a previous zero-day vulnerability in Sophos firewalls, highlighting the ongoing need for vigilance and timely patching in cybersecurity.

https://thehackernews.com/2024/12/sophos-fixes-3-critical-firewall-flaws.html?m=1