DIVD-2022-00029 - Remote Code Execution on Sophos Firewall
| Our reference | DIVD-2022-00029 |
| Case lead | Pepijn van der Stap |
| Author | Victor Pasman |
| Researcher(s) |
|
| CVE(s) | |
| Product | Sophos Firewall |
| Versions | v18.5 MR3 and older. |
| Recommendation | If you received a notification of a vulnerability, patch your system with the information provided in this notification. |
| Patch status | Available |
| Status | Closed |
| Last modified | 22 Feb 2023 19:19 CET |
Summary
An authentication bypass vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall and responsibly disclosed to Sophos. The fully working exploit method has not been released, due to the fact that it was directly reported to Sophos via their bug bounty program. However, there is extensive research happening in the world to exploit this vulnerability, the root cause is already known and that’s how we validate whether Sophos Firewall instances patched or not.
Impact
By leveraging the vulnerability, an unauthenticated attacker with network access to the Sophos Firewall can execute arbitrary system commands, create or delete files, disable services or gain access to the internal network.
What you can do
- We recommend you to remediate the vulnerability by following Sophos Advisory
Fixes are available for the following versions:
- Hotfixes for v17.0 MR10 EAL4+, v17.5 MR16 and MR17, v18.0 MR5(-1) and MR6, v18.5 MR1 and MR2, and v19.0 EAP published on March 23, 2022
- Hotfixes for unsupported EOL versions v17.5 MR12 through MR15, and v18.0 MR3 and MR4 published on March 23, 2022
- Hotfixes for unsupported EOL version v18.5 GA published on March 24, 2022
- Hotfixes for v18.5 MR3 published on March 24, 2022
- Hotfixes for unsupported EOL version v17.5 MR3 published on April 4, 2022
- Fix included in v19.0 GA and v18.5 MR4 (18.5.4)
- Users of older versions of Sophos Firewall are required to upgrade to receive the latest protections and this fix
What we are doing
- DIVD is currently ensuring that the owners of vulnerable systems are being notified. We do this by scanning for vulnerable hosts, verifying the vulnerability and notifying the owners of these systems. If you receive an email from us regarding this case, the vulnerability has been confirmed.
- To validate whether your instance is patched we look perform a non-intrusive authentication bypass. We can distinguish whether the patch has been applied from the HTTP responses.
Timeline
| Date | Description |
|---|---|
| 10 May 2022 | DIVD starts investigating the scope and impact of the vulnerability. |
| 11 Jun 2022 | First version of this case file. |
| 12 Jun 2022 | First round of notifications sent |
| 12 Jun 2022 | Shared the data concerning the Netherlands with the Digital Trust Center and the Dutch Security Clearing House (Security Meldpunt) |
| 27 Sep 2022 | Another round of notifications sent to the affected parties |
| 22 Feb 2023 | After monitoring the decrease in vulnerable systems we’ve decided to close this case. |