Skip to the content.

DIVD-2022-00029 - Remote Code Execution on Sophos Firewall

Our reference DIVD-2022-00029
Case lead Pepijn van der Stap
Author Victor Pasman
Researcher(s)
CVE(s)
Product Sophos Firewall
Versions v18.5 MR3 and older.
Recommendation If you received a notification of a vulnerability, patch your system with the information provided in this notification.
Patch status Available
Status Open
Last modified 20 Jun 2022 07:35

Summary

An authentication bypass vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall and responsibly disclosed to Sophos. The fully working exploit method has not been released, due to the fact that it was directly reported to Sophos via their bug bounty program. However, there is extensive research happening in the world to exploit this vulnerability, the root cause is already known and that’s how we validate whether Sophos Firewall instances patched or not.

Impact

By leveraging the vulnerability, an unauthenticated attacker with network access to the Sophos Firewall can execute arbitrary system commands, create or delete files, disable services or gain access to the internal network.

What you can do

Fixes are available for the following versions:

What we are doing

Timeline

Date Description
10 May 2022 DIVD starts investigating the scope and impact of the vulnerability.
11 Jun 2022 First version of this case file.
12 Jun 2022 First round of notifications sent
12 Jun 2022 Shared the data concerning the Netherlands with the Digital Trust Center and the Dutch Security Clearing House (Security Meldpunt)
gantt title DIVD-2022-00029 - Remote Code Execution on Sophos Firewall dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00029 - Remote Code Execution on Sophos Firewall (still open) :2022-05-10, 2022-07-01 section Events DIVD starts investigating the scope and impact of the vulnerability. : milestone, 2022-05-10, 0d First version of this case file. : milestone, 2022-06-11, 0d First round of notifications sent : milestone, 2022-06-12, 0d Shared the data concerning the Netherlands with the Digital Trust Center and the Dutch Security Clearing House (Security Meldpunt) : milestone, 2022-06-12, 0d

More information