Article Details
Scrape Timestamp (UTC): 2024-12-21 02:31:03.365
Original Article Text
Click to Toggle View
Sophos discloses critical Firewall remote code execution flaw. Sophos has addressed three vulnerabilities in its Sophos Firewall product that could allow remote unauthenticated threat actors to perform SQL injection, remote code execution, and gain privileged SSH access to devices. The vulnerabilities affect Sophos Firewall version 21.0 GA (21.0.0) and older, with the company already releasing hotfixes that are installed by default and permanent fixes through new firmware updates. The three flaws are summarized as follows: The company says CVE-2024-12727 impacts approximately 0.05% of firewall devices with the specific configuration required for exploitation. As for CVE-2024-12728, the vendor says it impacts approximately 0.5% of devices. Available fixes Hotfixes and complete fixes were made available through various versions and dates, as follows: Hotfixes for CVE-2024-12727 are available since December 17 for versions 21 GA, v20 GA, v20 MR1, v20 MR2, v20 MR3, v19.5 MR3, v19.5 MR4, v19.0 MR2, while a permanent fix was introduced in v21 MR1 and newer. Hotfixes for CVE-2024-12728 were released between November 26 and 27 for v21 GA, v20 GA, v20 MR1, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, and v20 MR2, while permanent fixes are included in v20 MR3, v21 MR1 and newer. For CVE-2024-12729, hotfixes were released between December 4 and 10 for versions v21 GA, v20 GA, v20 MR1, v20 MR2, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v19.0 MR3, and v20 MR3, and a permanent fix is available in v21 MR1 and later. Sophos Firewall hotfixes are installed by default, but you can find instructions on how to apply them and validate that they were successfully installed by referring to KBA-000010084. Sophos has also proposed workarounds for mitigating risks associated with CVE-2024-12728 and CVE-2024-12729 for those who cannot apply the hotfix or upgrade. To mitigate CVE-2024-12728, it is recommended to limit SSH access only to the dedicated HA link that is physically separated from other network traffic and reconfigure the HA setup using a sufficiently long and random custom passphrase. For remote management and access, disabling SSH over the WAN interface and using Sophos Central or a VPN is generally recommended. To mitigate CVE-2024-12729, it is recommended that admins ensure the User Portal and Webadmin interfaces are not exposed to the WAN. Update 12/20/24: Updated article to explain that hotfixes are installed by default.
Daily Brief Summary
Sophos has patched three significant vulnerabilities in its Firewall product, targeting potential SQL injection, remote code execution, and unauthorized SSH access.
Affected versions include Sophos Firewall version 21.0 GA and older; comprehensive patches and firmware updates have been rolled out.
The vulnerabilities, designated as CVE-2024-12727, CVE-2024-12728, and CVE-2024-12729, impact a small percentage of devices under specific configurations.
Hotfixes for these vulnerabilities were distributed on various dates, with permanent solutions incorporated in later firmware versions.
Apart from direct updates, Sophos has recommended specific mitigation measures to reduce risk, including limiting SSH access and ensuring sensitive interfaces are not exposed to public networks.
These security fixes and recommendations are crucial for protecting networks from potential remote exploits by unauthenticated attackers.
Sophos actively provides updates and detailed instructions on implementing these fixes to maintain security integrity across its user base.