Attackers exploit Sophos’ firewall code injection vulnerability
Sophos has warned that attackers are exploiting a critical code injection security vulnerability in the company’s Firewall product. The attackers are exploiting the flaw in the wild.
The vulnerability is tracked as CVE-2022-3236 and resides in the User Portal and Webadmin of the Sophos firewall, allowing remote code execution.
“Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region. We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate. No action is required for Sophos Firewall customers with the ‘Allow automatic installation of hotfixes’ feature enabled on remediated versions (see Remediation section below). Enabled is the default setting,” Sophos explained.
Sophos stated that it has released hotfixes for Sophos Firewall versions affected by the security bug (v19.o MR1 (19.O.1) and older. The company stated that it would automatically roll out the update to all instances since automatic updates are enabled by default.
“No action is required for Sophos Firewall customers with the ‘Allow automatic installation of hotfixes’ feature enabled on remediated versions (see Remediation section below). Enabled is the default setting,” Sophos explained.
Users of older versions of the Sophos firewall would need to upgrade to a supported version to get the CVE-2022-3236 patch.
The company also provided a workaround for customers who could not immediately patch the vulnerable software to ensure that the user portal and the web admin of the firewall are not exposed to WAN access.
“Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central (preferred) for remote access and management,” the company added.
The sources for this piece include an article in BleepingComputer.