Article Details
Scrape Timestamp (UTC): 2024-12-20 15:34:18.229
Original Article Text
Click to Toggle View
Sophos Firewall vulnerable to critical remote code execution flaw. Sophos has addressed three vulnerabilities in its Sophos Firewall product that could allow remote unauthenticated threat actors to perform SQL injection, remote code execution, and gain privileged SSH access to devices. The vulnerabilities affect Sophos Firewall version 21.0 GA (21.0.0) and older, with the company already releasing hotfixes and permanent fixes through new firmware updates. The three flaws are summarized as follows: The company says CVE-2024-12727 impacts approximately 0.05% of firewall devices with the specific configuration required for exploitation. As for CVE-2024-12728, the vendor says it impacts approximately 0.5% of devices. Available fixes Hotfixes and complete fixes were made available through various versions and dates, as follows: Hotfixes for CVE-2024-12727 are available since December 17 for versions 21 GA, v20 GA, v20 MR1, v20 MR2, v20 MR3, v19.5 MR3, v19.5 MR4, v19.0 MR2, while a permanent fix was introduced in v21 MR1 and newer. Hotfixes for CVE-2024-12728 were released between November 26 and 27 for v21 GA, v20 GA, v20 MR1, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, and v20 MR2, while permanent fixes are included in v20 MR3, v21 MR1 and newer. For CVE-2024-12729, hotfixes were released between December 4 and 10 for versions v21 GA, v20 GA, v20 MR1, v20 MR2, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v19.0 MR3, and v20 MR3, and a permanent fix is available in v21 MR1 and later. For instructions on how to apply the Sophos Firewall hotfixes and to validate that they were successfully installed, refer to KBA-000010084. Sophos has also proposed workarounds for mitigating risks associated with CVE-2024-12728 and CVE-2024-12729 for those who cannot apply the hotfix or upgrade. To mitigate CVE-2024-12728, it is recommended to limit SSH access only to the dedicated HA link that is physically separated from other network traffic and reconfigure the HA setup using a sufficiently long and random custom passphrase. For remote management and access, disabling SSH over the WAN interface and using Sophos Central or a VPN is generally recommended. To mitigate CVE-2024-12729, it is recommended that admins ensure the User Portal and Webadmin interfaces are not exposed to the WAN.
Daily Brief Summary
Sophos has resolved three critical vulnerabilities in its Firewall product that permitted SQL injections, remote code execution, and unauthorized SSH access.
Affected versions include Sophos Firewall version 21.0 GA and older, with solutions delivered through hotfixes and new firmware updates.
CVE-2024-12727 affects about 0.05% of firewall devices, requiring a specific configuration for exploitation.
CVE-2024-12728 and CVE-2024-12729 impact 0.5% of firewall devices, with specific mitigations recommended for users unable to apply updates.
Hotfixes for CVE-2024-12727 were provided in December, while fixes for the other vulnerabilities were distributed in November and December respectively.
Sophos released guidance for mitigating risks associated with these vulnerabilities, recommending configurations to limit exposure and secure remote access via VPN.
For users unable to immediately upgrade, Sophos suggested limiting SSH access and ensuring specific interfaces are not exposed to external networks.