A critical code-injection vulnerability in Sophos Firewall has been fixed — but not before miscreants found and exploited the bug.
The flaw, tracked as CVE-2022-3236, exists in the User Portal and Webadmin components of the firewall in versions 19.0 and older. While it hasn’t been issued a CVSS severity score, Sophos deemed it “critical” and noted that it allowed for remote code execution.
“Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region,” the vendor noted in an advisory this month. “We have informed each of these organizations directly.”
The British security software vendor issued hotfixes for supported versions (v17.0 through v19.0) last week, and also provided a workaround, which included disabling WAN access to the User Portal and Webadmin.
Sophos also said it’s continuing to investigate, and will provide additional details at a later date.
As of Tuesday, the security shop’s blogs, which regularly detail vulnerabilities and exploits affecting other software vendors, hadn’t mentioned its own critical firewall bug.
Other software vendors and security researchers, however, did weigh in on the Sophos bug, with one warning that there’s a “high” chance of mass exploitation. At least 28 of CISA’s Known Exploited Vulnerabilities involve code injection, Immanuel Chavoya tweeted:
🚨 RCE In Sophos Firewall exploited in the wildCVE-2022-3236This has a HIGH chance of mass exploitation, given the vulnerability is based on Code Injection (CWE-94) and if we look at the #CISA KEVs, at least 28 of those are Code Injection related…https://t.co/TUtBLbBeRQ pic.twitter.com/MgzXCWwgwr
— Immanuel Chavoya (@FullM3talPacket) September 23, 2022
And while Sophos hasn’t yet said who it believes exploited the bug to target South Asian organizations, Chinese state-sponsored criminals were behind earlier attacks this year that involved a critical flaw in Sophos Firewall.
Just last week, Recorded Future published research on multiple campaigns it attributed to Beijing-linked crews, who were seen abusing a programming error in Sophos Firewall that the software vendor fixed in April.
That earlier critical remote code execution vulnerability, tracked as CVE-2022-1040, was also used to target South Asian organizations. According to Recorded Future, at least three Chinese state-sponsored groups exploited this bug to gain initial unauthorized access into victims’ networks.
Sophos, in its own investigation published in June, reported at least two advanced persistent threat groups exploited CVE-2022-1040 before it was able to issue a patch. The flaw had been used to deploy malware on infected devices.
The software nasty, among other nefarious activities, allowed the attackers to install backdoor tools and steal sensitive data; write, read and manipulate files and settings on compromised devices; and, in some cases, gain complete control over the environment in which it was running. ®