Security Alert: Critical Remote Code Execution Vulnerability Discovered in Sophos Firewall

Sophos has addressed three security flaws in Sophos Firewall products that could enable remote, unauthenticated attackers to execute SQL injection and remote code execution, as well as gain privileged SSH access to affected devices.

The vulnerabilities impact Sophos Firewall version 21.0 GA (21.0.0) and earlier. Sophos has already deployed hotfixes, which are installed by default and is providing permanent fixes through upcoming firmware updates.

The three security flaws are explained below:

• CVE-2024-12727: According to security advisories, CVE-2024-12727 is an SQL injection vulnerability. Rated as critical with a CVSS score of 9.8, it has a pre-auth SQL injection vulnerability in the email protection feature. This vulnerability allows access to the reporting database of Sophos Firewall, which can lead to remote code execution if a specific configuration of Secure PDF Exchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode.An external security researcher identified and responsibly reported the issue, affecting approximately 0.05% of devices, to Sophos through the Sophos bug bounty program.

• CVE-2024-12728: With a CVSS Score of 9.8, a weak credentials vulnerability exists due to the suggested non-random SSH login passphrase for High Availability (HA) cluster initialization. This passphrase remains active even after the HA setup is complete, potentially exposing a privileged account if SSH is enabled.This issue was discovered by Sophos during internal security testing.

• CVE-2024-12729: According to security advisories, this vulnerability is a post-auth code injection vulnerability in the User Portal that allows authenticated users to gain remote code execution. It has a CVSS Score of 8.8, having high severity

Sophos has deployed hotfixes and workarounds for various versions and dates.

Hotfixes for CVE-2024-12727 have been available since December 17 for versions 21 GA, v20 GA, v20 MR1, v20 MR2, v20 MR3, v19.5 MR3, v19.5 MR4, and v19.0 MR2. A permanent fix has been introduced in v21 MR1 and newer.

For CVE-2024-12728, hotfixes were released between November 26 and 27 for v21 GA, v20 GA, v20 MR1, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, and v20 MR2. Permanent fixes are included in v20 MR3, v21 MR1, and later versions.

For CVE-2024-12729, hotfixes were released between December 4 and 10 for versions v21 GA, v20 GA, v20 MR1, v20 MR2, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v19.0 MR3, and v20 MR3. A permanent fix is available in v21 MR1 and newer.

Sophos Firewall hotfixes are installed automatically by default. However, you can find instructions on how to apply them and verify successful installation in KBA-000010084 manually.

Sophos has outlined workarounds to help mitigate the risks posed by CVE-2024-12728 and CVE-2024-12729 for those who are unable to apply the hotfix or perform an upgrade.

To address CVE-2024-12728, it is recommended to limit SSH access to the dedicated HA link, ensuring it is physically separated from other network traffic. Additionally, administrators should reconfigure the HA setup with a strong, random, and unique passphrase.

For secure remote management, it is advised to disable SSH on the WAN interface and rely on Sophos Central or a VPN for access.

To mitigate CVE-2024-12729, administrators should make sure that the User Portal and Webadmin interfaces are not exposed to the WAN.

SecPod SanerNow CVEM is a continuous vulnerability and exposure management solution designed to automatically detect, assess, prioritize, and remediate risks across your IT network. It supports all major operating systems and over 550+ third-party applications. With SanerNow, you can test patches before deployment, roll back if needed, and fully automate the patching process.