An authentication bypass vulnerability (CVE-2022-1040) that allowed for remote code execution (RCE) was discovered in the User Portal and Webadmin of Sophos Firewall.
This vulnerability affects organizations running versions v18.5 MR3 and older of Sophos Firewall.
How Bad is This?
CVE-2022-1040 was issued a 9.8 rating on the CVSS scale; in other words, critical severity. RCE is one of the most dangerous types of flaws because it allows an adversary to execute malicious code on vulnerable servers.
What Should I Do?
Sophos released hotfixes for the following versions, according to the company’s security advisory:
- Hotfixes for v17.0 MR10 EAL4+, v17.5 MR16 and MR17, v18.0 MR5(-1) and MR6, v18.5 MR1 and MR2, and v19.0 EAP published on March 23, 2022
- Hotfixes for unsupported EOL versions v17.5 MR12 through MR15, and v18.0 MR3 and MR4 published on March 23, 2022
- Hotfixes for unsupported EOL version v18.5 GA published on March 24, 2022
- Hotfixes for v18.5 MR3 published on March 24, 2022
- Fix included in v19.0 GA and v18.5 MR4 (18.5.4)
These patches should automatically apply when users have enabled “Allow Automatic Installation of Hotfixes” on their systems. Otherwise, admins must manually update the firewall.
In general, it’s important to ensure that the User Portal and Webadmin is not exposed to the internet. Admins should disable WAN access to both the User Portal and Webadmin by following Sophos’ instructions for device access best practices.
Try Blumira For Free
Blumira’s cloud SIEM detects and alerts you about suspicious behavior in your environment so that you can stop an incident early enough to prevent damage. Each finding we send is accompanied with a security playbook, giving you clear recommendations on how to remediate an attack. Our support team of security analysts is always available to answer questions on how to interpret a finding, or for other security help.
Blumira’s free SIEM is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.