Sophos Firewall RCE vulnerability actively exploited
THREAT LEVEL: Amber
For a detailed advisory, download the pdf file here
A security researcher has discovered an authentication bypass vulnerability that resides in the User Portal and Webadmin areas of Sophos Firewall. Attackers are actively exploiting this vulnerability to attack enterprises in South Asia.
The vulnerability, tracked as CVE-2022-1040, allows a remote attacker with access to the Firewall’s User Portal or Webadmin user to circumvent authentication and execute arbitrary code.
Sophos published hotfixes to address this vulnerability, which has been automatically deployed to all susceptible devices because the ‘Allow automatic installation of hotfixes’ functionality that is activated by default. However, hotfixes published for end-of-life Sophos Firewall versions must be manually upgraded in order to address the security issue and defend against ongoing assaults. Customers can also defend themselves from external attackers by not exposing their User Portal and Webadmin to the WAN.
Potential MITRE ATT&CK TTPs are:
TA0042: Resource Development
TA0006: Credential Access
TA0007: Discovery
TA0001: Initial Access
TA0004: Privilege Escalation
TA0005: Defense Evasion
T1588: Obtain Capabilities
T1588.006: Obtain Capabilities: Vulnerabilities
T1190: Exploit Public-Facing Application
T1040: Network Sniffing
T1548: Abuse Elevation Control Mechanism
Vulnerability Details
References
https://www.sophos.com/en-us/security-advisories/sophos-sa-20220325-sfos-rce
https://support.sophos.com/support/s/article/KB-000043853?language=en_US
What’s new on HivePro
Get through updates and upcoming events, and more directly in your inbox