Sophos has launched hotfixes to handle three safety flaws in Sophos Firewall merchandise that might be exploited to attain distant code execution and permit privileged system entry below sure situations.
Of the three, two are rated Essential in severity. There may be at the moment no proof that the shortcomings have been exploited within the wild. The record of vulnerabilities is as follows –
- CVE-2024-12727 (CVSS rating: 9.8) – A pre-auth SQL injection vulnerability within the e-mail safety characteristic that might result in distant code execution, if a particular configuration of Safe PDF eXchange (SPX) is enabled together with the firewall working in Excessive Availability (HA) mode.
- CVE-2024-12728 (CVSS rating: 9.8) – A weak credentials vulnerability arising from a recommended and non-random SSH login passphrase for Excessive Availability (HA) cluster initialization that is still lively even after the HA institution course of accomplished, thereby exposing an account with privileged entry if SSH is enabled.
- CVE-2024-12729 (CVSS rating: 8.8) – A post-auth code injection vulnerability within the Consumer Portal that enables authenticated customers to achieve distant code execution.
The safety vendor mentioned CVE-2024-12727 impacts about 0.05% of units, whereas CVE-2024-12728 impacts roughly 0.5% of them. All three recognized vulnerabilities affect Sophos Firewall variations 21.0 GA (21.0.0) and older. It has been remediated within the following variations –
- CVE-2024-12727 – v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v20 MR2, v20 MR3, v19.5 MR3, v19.5 MR4, v19.0 MR2)
- CVE-2024-12728 – v20 MR3, v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v20 MR2)
- CVE-2024-12729 – v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v20 MR2, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v19.0 MR3)
To make sure that the hotfixes have been utilized, customers are being advisable to observe the below-mentioned steps –
- CVE-2024-12727 – Launch System Administration > Superior Shell from the Sophos Firewall console, and run the command “cat /conf/nest_hotfix_status” (The hotfix is utilized if the worth is 320 or above)
- CVE-2024-12728 and CVE-2024-12729 – Launch System Console from the Sophos Firewall console, and run the command “system diagnostic present version-info” (The hotfix is utilized if the worth is HF120424.1 or later)
As momentary workarounds till the patches could be utilized, Sophos is urging prospects to limit SSH entry to solely the devoted HA hyperlink that’s bodily separate, and/or reconfigure HA utilizing a sufficiently lengthy and random customized passphrase.
One other safety measure that customers can take is to disable WAN entry through SSH, in addition to make sure that Consumer Portal and Webadmin will not be uncovered to WAN.
The event comes somewhat over per week after the U.S. authorities unsealed expenses towards a Chinese language nationwide named Guan Tianfeng for allegedly exploiting a zero-day safety vulnerability (CVE-2020-12271, CVSS rating: 9.8) to interrupt into about 81,000 Sophos firewalls internationally.
