Sophos has announced the resolution of three critical security vulnerabilities affecting its Sophos Firewall product, a widely used network security tool. These vulnerabilities, tracked as CVE-2024-12727, CVE-2024-12728, and CVE-2024-12729, pose significant risks, including remote code execution and privilege escalation.
CVE-2024-12727: Pre-auth SQL Injection (CVSS 9.8)
One of the most critical flaws, CVE-2024-12727, is a pre-authentication SQL injection vulnerability within the email protection feature of Sophos Firewall. If exploited, this vulnerability could grant attackers access to the reporting database and enable remote code execution under specific conditions. These conditions include the Secure PDF eXchange (SPX) feature being enabled and the firewall operating in High Availability (HA) mode.
Sophos noted, “The issue, impacting about 0.05% of devices, was discovered and responsibly disclosed to Sophos by an external security researcher via the Sophos bug bounty program.”
CVE-2024-12728: Insecure SSH Passphrase (CVSS 9.8)
CVE-2024-12728 involves the reuse of a suggested and non-random SSH login passphrase after the HA establishment process. This oversight could expose privileged system accounts on affected devices if SSH is enabled. Sophos estimates that approximately 0.5% of devices are at risk.
To address this, customers can ensure “SSH access is restricted to only the dedicated HA link that is physically separate and/or HA is reconfigured using a sufficiently long and random custom passphrase.”
CVE-2024-12729: Post-auth Code Injection (CVSS 8.8)
The third vulnerability, CVE-2024-12729, allows authenticated users to execute arbitrary code via the User Portal. An external researcher also responsibly disclosed this issue to Sophos. Although it requires authentication, it still represents a significant risk to organizations that rely on Sophos Firewall for their security.
Remediation and Recommendations
Sophos has released hotfixes to mitigate these vulnerabilities for supported versions of Sophos Firewall. The company recommends that customers with automatic hotfix installations enabled take no action, as these updates are applied automatically. For those not using this feature, immediate manual updates are advised.
Hotfixes for CVE-2024-12727 and CVE-2024-12728 were released in November and December 2024, while fixes for CVE-2024-12729 followed shortly thereafter. Sophos also highlights best practices, such as disabling WAN access to the User Portal and WebAdmin interfaces and using VPN or Sophos Central for remote management.
Mitigation Tips for Users
For organizations unable to update immediately, Sophos provides interim workarounds:
- Restrict SSH access to dedicated HA links.
- Use long, random passphrases for HA configuration.
- Disable WAN access to the User Portal and WebAdmin interfaces.
No Exploitation Observed So Far
While these vulnerabilities are severe, Sophos confirmed, “Sophos has not observed these vulnerabilities to be exploited at this time.” This statement offers some reassurance but highlights the urgency for organizations to apply updates and follow recommended mitigations.
Related Posts:
- Leaked LockBit Tools: Novice Hackers Target Vulnerabilities
- Unpatched Vulnerabilities: Ransomware’s Favorite Entry Point
- Critical 0-day Sophos Firewall RCE Vulnerability
- Chinese State-Sponsored Hackers Target Southeast Asian Government in Operation Crimson Palace
