More than 4,400 servers exposed to the Internet and running versions of the Sophos Firewall are vulnerable to a critical exploit of extreme virulence. Which allows hackers to execute malicious code, specifically CVE-2022-3236.
A code injection vulnerability that allows the remote code execution in the Sophos User Portal and Webadmin Firewalls. Said exploit is highly dangerous and is rated at a severity rate of 9.8 points out of 10.
Sophos took immediate action to address this issue with an automatic hotfix shipped in September 2022. We also alerted users who do not receive automatic hotfixes to apply the update themselves.
The situation is even more dangerous as according to recently published research, the 4,400 vulnerable servers running the Sophos firewall represent about 6% of all company firewalls.
That remaining 6% of the Internet-facing versions Baines mentions in his article are running an old, unsupported version of the software. This is a good opportunity to remind these users, as well as all users of any type of outdated software, to follow security best practice guides and update to the latest version available, as Sophos regularly does for its customers.
“More than 99% of Internet-facing Sophos Firewalls have not been updated to versions that contain the official fix for CVE-2022-3236,” he said. VulnCheck researcher Jacob Bainesadding: “About 93% are running builds that are eligible for a patch, and the default behavior for the firewall is to automatically download and apply patches, unless disabled by an administrator.”
How to act?
This researcher has also claimed that he was able to create a working exploit for the vulnerability based on technical descriptions in this Zero Day Initiative advisory. And urged users of the Sophos firewall to make sure they are patched.
It has also advised users of vulnerable servers to check if there are two indicators of possible compromise. The first is the log file located at: /logs/csc.log, and the second is /log/validationError.log.
If either one contains the_discriminator field in a login request, it is likely that there was an attempt, successful or not, to exploit the vulnerability.
It’s not all bad news. The positive side of the investigation is that mass exploitation is not likely due to a CAPTCHA that must be completed during authentication by web clients.
“The vulnerable code is only reached after the CAPTCHA is validated (…) A failed CAPTCHA will result in the exploit failing. While not impossible, solving CAPTCHA programmatically is a major hurdle for most attackers. Most Internet-facing Sophos Firewalls appear to have login CAPTCHA enabled, which means that even at the most opportune times, this vulnerability is unlikely to have been successfully exploited at scale.”
