Sophos Issues Critical Security Hotfixes for Firewall Vulnerabilities
Sophos has recently released crucial security hotfixes addressing three vulnerabilities within its Firewall products. These flaws could potentially be exploited to facilitate remote code execution, granting unauthorized privileged access to attackers under specific conditions, posing significant risks to organizations reliant on these systems.
Among the identified vulnerabilities, two have been classified as Critical, highlighting the severity of the risks they pose. Importantly, there are no current reports indicating these vulnerabilities have been actively exploited in real-world attacks. The vulnerabilities include CVE-2024-12727, a pre-authentication SQL injection issue affecting the email protection functionality, and CVE-2024-12728, which involves weak credentials due to a suggested non-random SSH password used during High Availability (HA) cluster setup. The third vulnerability, CVE-2024-12729, allows authenticated users to execute arbitrary code via the User Portal.
CVE-2024-12727 and CVE-2024-12728 both receive a daunting CVSS score of 9.8, significantly elevating their threat level. In contrast, CVE-2024-12729 has a CVSS score of 8.8, still underscoring its potential for major misuse. The vulnerabilities primarily impact earlier versions of Sophos Firewall, specifically version 21.0 GA and prior. Sophos reports that the exposure affects a small percentage of devices: approximately 0.05% for CVE-2024-12727 and around 0.5% for CVE-2024-12728.
To mitigate these risks, organizations should promptly update their firewall systems to the remedied versions, which include v21 MR1 and later. Users are strongly advised to verify the application of hotfixes via specific commands accessible in the Sophos Firewall console. Prior to applying these patches, Sophos recommends interim measures such as limiting SSH access strictly to dedicated physical HA links and disabling WAN access via SSH altogether.
This urgent update comes shortly after the U.S. government unveiled charges against a Chinese national, accused of targeting approximately 81,000 Sophos firewalls globally by exploiting a distinct zero-day vulnerability. Such incidents highlight the persistent threat landscape facing organizations today, emphasizing the necessity for vigilance and proactive security measures.
Given the nature of these vulnerabilities, adversary tactics potentially employed could include initial access via SQL injection and privilege escalation through weak credential exploitation, as outlined in the MITRE ATT&CK framework. These insights reinforce the critical importance of robust security practices and maintaining up-to-date systems to defend against evolving cyber threats.
For business owners, the Sophos incident serves as a reminder of the pivotal role effective cybersecurity postures play in safeguarding sensitive information and infrastructure from vulnerabilities that could lead to significant operational disruptions. Organizations are encouraged to regularly review and enhance their security protocols, helping to ensure resilience against potential breaches and unauthorized access attempts.
