ClickCease Attackers exploit Sophos' firewall code injection vulnerability

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Attackers exploit Sophos’ firewall code injection vulnerability

Obanla Opeyemi

October 5, 2022 - TuxCare expert team

Sophos has warned that attackers are exploiting a critical code injection security vulnerability in the company’s Firewall product. The attackers are exploiting the flaw in the wild.

The vulnerability is tracked as CVE-2022-3236 and resides in the User Portal and Webadmin of the Sophos firewall, allowing remote code execution.

“Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region. We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate. No action is required for Sophos Firewall customers with the ‘Allow automatic installation of hotfixes’ feature enabled on remediated versions (see Remediation section below). Enabled is the default setting,” Sophos explained.

Sophos stated that it has released hotfixes for Sophos Firewall versions affected by the security bug (v19.o MR1 (19.O.1) and older. The company stated that it would automatically roll out the update to all instances since automatic updates are enabled by default.

“No action is required for Sophos Firewall customers with the ‘Allow automatic installation of hotfixes’ feature enabled on remediated versions (see Remediation section below). Enabled is the default setting,” Sophos explained.

Users of older versions of the Sophos firewall would need to upgrade to a supported version to get the CVE-2022-3236 patch.

The company also provided a workaround for customers who could not immediately patch the vulnerable software to ensure that the user portal and the web admin of the firewall are not exposed to WAN access.

“Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central (preferred) for remote access and management,” the company added.

The sources for this piece include an article in BleepingComputer.

Summary
Attackers exploit Sophos' firewall code injection vulnerability
Article Name
Attackers exploit Sophos' firewall code injection vulnerability
Description
Sophos has warned that attackers are exploiting a critical code injection security vulnerability in the company's Firewall product.
Author
Publisher Name
Tuxcare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare