Sophos Firewall vulnerable to critical remote code execution flaw

Sophos

Sophos has addressed three vulnerabilities in its Sophos Firewall product that could allow remote unauthenticated threat actors to perform SQL injection, remote code execution, and gain privileged SSH access to devices.

The vulnerabilities affect Sophos Firewall version 21.0 GA (21.0.0) and older, with the company already releasing hotfixes and permanent fixes through new firmware updates.

The three flaws are summarized as follows: 

  • CVE-2024-12727: A pre-authentication SQL injection vulnerability in the email protection feature. If a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with High Availability (HA) mode, it allows access to the reporting database, potentially leading to RCE.
  • CVE-2024-12728: The suggested, non-random SSH login passphrase for HA cluster initialization remains active after the process completes, leaving systems where SSH is enabled vulnerable to unauthorized access due to predictable credentials.
  • CVE-2024-12729: An authenticated user can exploit a code injection vulnerability in the User Portal. This allows attackers with valid credentials to execute arbitrary code remotely, increasing the risk of privilege escalation or further exploitation.

The company says CVE-2024-12727 impacts approximately 0.05% of firewall devices with the specific configuration required for exploitation. As for CVE-2024-12728, the vendor says it impacts approximately 0.5% of devices.

Available fixes

Hotfixes and complete fixes were made available through various versions and dates, as follows: 

Hotfixes for CVE-2024-12727 are available since December 17 for versions 21 GA, v20 GA, v20 MR1, v20 MR2, v20 MR3, v19.5 MR3, v19.5 MR4, v19.0 MR2, while a permanent fix was introduced in v21 MR1 and newer.

Hotfixes for CVE-2024-12728 were released between November 26 and 27 for v21 GA, v20 GA, v20 MR1, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, and v20 MR2, while permanent fixes are included in v20 MR3, v21 MR1 and newer.

For CVE-2024-12729, hotfixes were released between December 4 and 10 for versions v21 GA, v20 GA, v20 MR1, v20 MR2, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v19.0 MR3, and v20 MR3, and a permanent fix is available in v21 MR1 and later.

For instructions on how to apply the Sophos Firewall hotfixes and to validate that they were successfully installed, refer to KBA-000010084.

Sophos has also proposed workarounds for mitigating risks associated with CVE-2024-12728 and CVE-2024-12729 for those who cannot apply the hotfix or upgrade.

To mitigate CVE-2024-12728, it is recommended to limit SSH access only to the dedicated HA link that is physically separated from other network traffic and reconfigure the HA setup using a sufficiently long and random custom passphrase.

For remote management and access, disabling SSH over the WAN interface and using Sophos Central or a VPN is generally recommended.

To mitigate CVE-2024-12729, it is recommended that admins ensure the User Portal and Webadmin interfaces are not exposed to the WAN.