Analysis Summary

Three flaws that might have given remote, unauthenticated threat actors the ability to execute code remotely, perform SQL injection, and obtain privileged SSH access to devices have been fixed by Sophos in its Sophos Firewall product.

The company has already released hotfixes that are installed by default and permanent fixes through new firmware updates for Sophos Firewall versions 21.0 GA (21.0.0) and older, which are affected by the vulnerabilities. The following is a summary of the three vulnerabilities:

CVE-2024-12727: A SQL injection vulnerability in the email protection function that occurs before authentication. RCE may result from using a particular Secure PDF eXchange (SPX) configuration in conjunction with High Availability (HA) mode, which permits access to the reporting database.

CVE-2024-12728: After HA cluster initialization is finished, the recommended, non-random SSH login passphrase is still in effect, making systems with SSH enabled susceptible to unwanted access because of predictable credentials.

CVE-2024-12729: The User Portal has a code injection vulnerability that an authenticated user can take advantage of. This raises the possibility of privilege escalation or additional exploitation by enabling remote execution of arbitrary code by attackers using legitimate credentials.

According to the company, CVE-2024-12727 affects 0.05% of firewall devices with the particular configuration needed for exploitation. According to the vendor, CVE-2024-12728 affects roughly 0.5% of devices. Various versions and dates were used to release hotfixes and full fixes.

Although Sophos Firewall hotfixes are installed by default, the security advisory guides on applying them and verifying that they were installed properly. Sophos has provided suggested remedies to reduce the risks related to CVE-2024-12728 and CVE-2024-12729 for users unable to deploy the hotfix or upgrade.

Reconfiguring the HA setup with a suitably lengthy and random custom passphrase and restricting SSH access to the dedicated HA connection that is physically isolated from other network traffic are advised steps to mitigate CVE-2024-12728. Disabling SSH via the WAN interface and utilizing Sophos Central or a VPN is typically advised for remote management and access. It is advised that administrators make sure the User Portal and Webadmin interfaces are not connected to the WAN to mitigate CVE-2024-12729.

Impact

• Code Execution
• Unauthorized Access
• Privilege Escalation

Indicators of Compromise

CVE

• CVE-2024-12727
• CVE-2024-12728
• CVE-2024-12729

Affected Vendors

Affected Products

• Sophos Firewall v21 GA
• Sophos Firewall v20 GA
• Sophos Firewall v20 MR1
• Sophos Firewall v20 MR2
• Sophos Firewall v20 MR3
• Sophos Firewall v19.5 MR3
• Sophos Firewall v19.5 MR4
• Sophos Firewall v19.0 MR2
• Sophos Firewall v19.5 GA
• Sophos Firewall v19.5 MR1
• Sophos Firewall v19.5 MR2
• Sophos Firewall v19.0 MR3

Remediation

• Refer to Sophos Security Advisory for patch, upgrade, or suggested workaround information.
• Organizations must test their assets for the vulnerabilities mentioned above and apply the available security patch or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations must stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.