Overview
[Update December 11, 2023] A code injection vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall. The vulnerability was originally fixed in September 2022. In December 2023, we delivered an updated fix after identifying new exploit attempts against this same vulnerability in older, unsupported versions of the Sophos Firewall.
No action is required if organizations have upgraded their firewalls to a supported firmware version after September 2022.
All the vulnerable devices are running end-of-life (EOL) firmware. We immediately developed a patch for certain EOL firmware versions, which was automatically applied to the 99% of affected organizations that have “accept hotfix” turned on.
Attackers commonly hunt for EOL devices and firmware from any technology vendor, so we strongly recommend that organizations upgrade their EOL devices and firmware to the latest versions.
[September 23, 2022] No action is required for Sophos Firewall customers with the "Allow automatic installation of hotfixes" feature enabled on remediated versions (see Remediation section below). Enabled is the default setting.
[Update October 20, 2022] Sophos has observed this vulnerability being used in the wild. See the Incident response section below for details.
Applies to the following Sophos product(s) and version(s)
Sophos Firewall v19.0 MR1 (19.0.1) and older
Workaround
Customers can protect themselves from external attackers by ensuring their User Portal, and Webadmin are not exposed to WAN.
Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central (preferred) for remote access and management.
Remediation
- Ensure you are running a supported version
- Hotfixes for the following versions published on September 21, 2022:
- v19.0 GA, MR1, and MR1-1
- v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4
- Hotfixes for the following versions published on September 23, 2022:
- v18.0 MR3, MR4, MR5, and MR6
- v17.5 MR12, MR13, MR14, MR15, MR16, and MR17
- v17.0 MR10
- Hotfixes for the following versions published on December 6, 2023:
- v19.0 GA, MR1, and MR1-1
- Hotfixes for the following versions published on December 8, 2023:
- v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4
- Hotfixes for the following versions published on December 11, 2023:
- v17.0 MR10
- Fix included in v18.5 MR5 (18.5.5), v19.0 MR2 (19.0.2), v19.5 GA and above
- Users of older versions of Sophos Firewall are required to upgrade to receive the latest protections, and this fix
Incident response
Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region. We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate.
- September 16, 2022: Vulnerability discovered
- September 20-21, 2022: Reached out to targeted customers
- September 21-23, 2022: Vulnerability remediated
- September 23, 2022: Security advisory published
- November 27, 2023: New exploit identified
- December 6-11, 2023: Vulnerability remediated
- December 11, 2023: Security advisory updated
Verifying the hotfix
- To confirm that the hotfix has been applied to your firewall, please refer to https://support.sophos.com/support/s/article/KB-000044539?language=en_US
Related information
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3236
- https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Administration/DeviceAccess/index.html
- https://news.sophos.com/en-us/2022/10/19/sophos-x-ops-finds-attackers-using-covert-channels-in-backdoor-against-devices/