Get in Touch
Critical Sophos vulnerability allows Remote Code Execution
Sophos have published an update to deal with an authentication bypass vulnerability (CVE-2022-1040) in the User Portal and Web Admin interfaces.
A remote attacker could execute code allowing them to take control of the firewall.
Sophos have published instructions on how to verify the fix
Sophos Firewall v18.5 MR3 (18.5.3) and older.
Containment, Mitigations & Remediations
Sophos advise that customers with ‘Allow automatic installation of hotfixes’ enabled should automatically receive the fix.
To protect against remote attacks, network services should not be exposed to the internet unless absolutely required. Remote access can be controlled through the use of a VPN.
Indicators of Compromise
Sophos report that this vulnerability has been used to target some organisations primarily in the South Asia region. Those customers have been notified. The vulnerability still remains to be classified, however Sophos are clearly worried about it as they have provided updates for a variety of different unsupported / end-of-life (EoL) devices, which also suggests that this vulnerability may have lain undetected for quite some period of time.
T1190 – Exploit Public-Facing Application