Resolved RCE in Sophos Firewall (CVE-2022-3236)

Overview

A code injection vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall. The vulnerability has been fixed.

No action is required for Sophos Firewall customers with the "Allow automatic installation of hotfixes" feature enabled on remediated versions (see Remediation section below). Enabled is the default setting.

Sophos has observed this vulnerability being used in the wild. See the Incident response section below for details.

Applies to the following Sophos product(s) and version(s)

Sophos Firewall v19.0 MR1 (19.0.1) and older

Workaround

Customers can protect themselves from external attackers by ensuring their User Portal, and Webadmin are not exposed to WAN.

Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central (preferred) for remote access and management.

Remediation

• Ensure you are running a supported version

• Hotfixes for the following versions published on September 21, 2022:

  • v19.0 GA, MR1, and MR1-1

  • v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4

• Hotfixes for the following versions published on September 23, 2022:

  • v18.0 MR3, MR4, MR5, and MR6

  • v17.5 MR12, MR13, MR14, MR15, MR16, and MR17

  • v17.0 MR10

• Fix included in v18.5 MR5 (18.5.5), v19.0 MR2 (19.0.2), and v19.5 GA

• Users of older versions of Sophos Firewall are required to upgrade to receive the latest protections, and this fix

Incident response

Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region. We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate.

• September 16, 2022: Vulnerability discovered

• September 20-21, 2022: Reached out to targeted customers

• September 21-23, 2022: Vulnerability remediated

• September 23, 2022: Security advisory published

Verifying the hotfix

• To confirm that the hotfix has been applied to your firewall, please refer to https://support.sophos.com/support/s/article/KB-000044539?language=en_US

Related information

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3236

• https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Administration/DeviceAccess/index.html

• https://news.sophos.com/en-us/2022/10/19/sophos-x-ops-finds-attackers-using-covert-channels-in-backdoor-against-devices/