Critical Sophos Firewall Vulnerabilities Let Attackers Execute Remote Code
Sophos warns of three critical security vulnerabilities in its Sophos Firewall product. These vulnerabilities could potentially allow attackers to execute remote code on affected systems.
These vulnerabilities, identified as CVE-2024-12727, CVE-2024-12728, and CVE-2024-12729, pose significant risks to organizations relying on Sophos Firewall for network security.
CVE-2024-12727 is a pre-authentication SQL injection vulnerability in the email protection feature of the Sophos Firewall. If exploited, it could grant attackers access to the reporting database and enable remote code execution under specific conditions, such as when the Secure PDF Exchange (SPX) feature is enabled, and the firewall operates in High Availability (HA) mode. Hotfixes were released on December 17, 2024, for various versions, with fixes included in v21 MR1 and newer.
This issue affects approximately 0.05% of devices and was responsibly disclosed by an external security researcher through Sophos’s bug bounty program.
CVE-2024-12728: This vulnerability involves the reuse of a suggested and non-random SSH login passphrase after the HA establishment process, potentially exposing privileged system accounts if SSH is enabled. It impacts about 0.5% of devices and was discovered during Sophos’s internal security testing. Hotfixes were published on November 26 and 27, 2024, with fixes included in v20 MR3, v21 MR1, and newer.
CVE-2024-12729: A post-authentication code injection vulnerability in the User Portal allows authenticated users to execute arbitrary code. An external researcher also responsibly disclosed this. Hotfixes were released on December 4, 5, and 10, 2024, with fixes included in v21 MR1 and newer.
Sophos has released hotfixes for these vulnerabilities, which are automatically applied to devices with the “Allow automatic installation of hotfixes” feature enabled. For those not using this feature, manual updates are necessary:
For organizations unable to update immediately, Sophos provides interim workarounds:
- For CVE-2024-12728: Restrict SSH access to dedicated HA links and use long, random passphrases for HA configuration.
- For CVE-2024-12729: Disable WAN access to the User Portal and WebAdmin interfaces, using VPN or Sophos Central for remote management.
Sophos has not observed these vulnerabilities being exploited in the wild; however, the company emphasizes the importance of applying updates and following recommended mitigations to prevent potential future attacks.
Organizations are urged to ensure their Sophos Firewall is up to date to mitigate these critical vulnerabilities effectively.