Sophos has launched hotfixes to handle three safety flaws in Sophos Firewall merchandise that may very well be exploited to attain distant code execution and permit privileged system entry beneath sure circumstances.
Of the three, two are rated Important in severity. There may be presently no proof that the shortcomings have been exploited within the wild. The checklist of vulnerabilities is as follows –
- CVE-2024-12727 (CVSS rating: 9.8) – A pre-auth SQL injection vulnerability within the e-mail safety characteristic that might result in distant code execution, if a selected configuration of Safe PDF eXchange (SPX) is enabled together with the firewall operating in Excessive Availability (HA) mode.
- CVE-2024-12728 (CVSS rating: 9.8) – A weak credentials vulnerability arising from a prompt and non-random SSH login passphrase for Excessive Availability (HA) cluster initialization that is still lively even after the HA institution course of accomplished, thereby exposing an account with privileged entry if SSH is enabled.
- CVE-2024-12729 (CVSS rating: 8.8) – A post-auth code injection vulnerability within the Person Portal that permits authenticated customers to achieve distant code execution.
The safety vendor stated CVE-2024-12727 impacts about 0.05% of gadgets, whereas CVE-2024-12728 impacts roughly 0.5% of them. All three recognized vulnerabilities affect Sophos Firewall variations 21.0 GA (21.0.0) and older. It has been remediated within the following variations –
- CVE-2024-12727 – v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v20 MR2, v20 MR3, v19.5 MR3, v19.5 MR4, v19.0 MR2)
- CVE-2024-12728 – v20 MR3, v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v20 MR2)
- CVE-2024-12729 – v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v20 MR2, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v19.0 MR3)
To make sure that the hotfixes have been utilized, customers are being really helpful to observe the below-mentioned steps –
- CVE-2024-12727 – Launch Machine Administration > Superior Shell from the Sophos Firewall console, and run the command “cat /conf/nest_hotfix_status” (The hotfix is utilized if the worth is 320 or above)
- CVE-2024-12728 and CVE-2024-12729 – Launch Machine Console from the Sophos Firewall console, and run the command “system diagnostic present version-info” (The hotfix is utilized if the worth is HF120424.1 or later)
As short-term workarounds till the patches will be utilized, Sophos is urging prospects to limit SSH entry to solely the devoted HA hyperlink that’s bodily separate, and/or reconfigure HA utilizing a sufficiently lengthy and random customized passphrase.
One other safety measure that customers can take is to disable WAN entry through SSH, in addition to be sure that Person Portal and Webadmin usually are not uncovered to WAN.
The event comes a little bit over every week after the U.S. authorities unsealed expenses in opposition to a Chinese language nationwide named Guan Tianfeng for allegedly exploiting a zero-day safety vulnerability (CVE-2020-12271, CVSS rating: 9.8) to interrupt into about 81,000 Sophos firewalls the world over.
