Sophos has it patches released to address three security vulnerabilities in Sophos Firewall products that could be used to allow remote code execution and allow privileged system access under certain conditions.
Of the three, two are rated critical in terms of severity. There is currently no evidence that the flaws have been exploited in the wild. The list of vulnerabilities is as follows –
- CVE-2024-12727 (CVSS Score: 9.8) – A SQL pre-authentication vulnerability in the email protection feature that could lead to remote code execution when certain Secure PDF eXchange (SPX) configuration is enabled in conjunction with a firewall running in high availability mode (GA) mode.
- CVE-2024-12728 (CVSS Score: 9.8) – A weak credential vulnerability due to a suggested and non-random SSH login passphrase for high availability (HA) cluster initialization that remains active even after the HA setup process is complete, thus by opening a privileged account when SSH is enabled.
- CVE-2024-12729 (CVSS Score: 8.8) – Post-authentication code injection vulnerability in a user portal that allows authenticated users to obtain remote code execution.
The security vendor said that CVE-2024-12727 affects about 0.05% of devices, while CVE-2024-12728 affects about 0.5% of them. All three discovered vulnerabilities affect Sophos Firewall version 21.0 GA (21.0.0) and earlier. It has been fixed in the following versions –
- CVE-2024-12727 – v21 MR1 and newer (fixes for v21 GA, v20 GA, v20 MR1, v20 MR2, v20 MR3, v19.5 MR3, v19.5 MR4, v19.0 MR2)
- CVE-2024-12728 – v20 MR3, v21 MR1 and newer (fixes for v21 GA, v20 GA, v20 MR1, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v20 MR2)
- CVE-2024-12729 – v21 MR1 and newer (fixes for v21 GA, v20 GA, v20 MR1, v20 MR2, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v19.0 MR3)
To ensure that fixes have been applied, users are currently is recommended follow these steps –
- CVE-2024-12727 – Launch Device Management > Advanced Shell from the Sophos Firewall console and run the command “cat /conf/nest_hotfix_status” (the fix is applied if the value is 320 or higher)
- CVE-2024-12728 and CVE-2024-12729 – Start the Device Console from the Sophos Firewall console and run the “system diagnostics show version info” command (the fix is applied if the value is HF120424.1 or later)
As a temporary workaround until the patches are applied, Sophos encourages customers to limit SSH access to only a dedicated HA connection that is physically separate, and/or reconfigure HA using a sufficiently long and random user passphrase.
Another security measure users can take is to disable WAN access via SSH, and ensure that the user portal and web admin are not exposed to the WAN.
The development comes just over a week after U.S. Govt uncapped charges against a Chinese national named Guan Tianfeng for allegedly exploiting a zero-day security vulnerability (CVE-2020-12271, CVSS score: 9.8) to breach approximately 81,000 Sophos firewalls worldwide.
