Sophos Firewall Patch Released for Actively Exploited Zero-Day RCE Vulnerability
Sophos released a patch for a flaw discovered in their firewall product. Tracked as CVE-2022-3236 (CVSS score: 9.8), the vulnerability allows code injection in the User Portal and Webadmin components, which could result in remote code execution.
Company issued a patch to address a zero-day vulnerability discovered in Sophos Firewall. Identified as CVE-2022-3236 (CVSS score: 9.8), the vulnerability allows code injection in the User Portal and Webadmin of the firewall, leading to remote code execution.
CVE-2022-3236 affects Sophos Firewall v19.0 MR1 and older versions.
Similarities to a Previous Zero-Day
According to the company, this vulnerability has been exploited to target specific organizations in South Asia.
In March, another patch was released for a zero-day identified as CVE-2022-1040, similar to CVE-2022-3236. CVE-2022-1040 allowed authentication bypass leading to remote code execution in User Portal and web admin.
Apply the Fixes
The following versions have hotfixes available:
- v19.0 GA, MR1, and MR1-1
- v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4
- v18.0 MR3, MR4, MR5, and MR6
- v17.5 MR12, MR13, MR14, MR15, MR16, and MR17
- v17.0 MR10
Fixes are incorporated in v18.5 MR5 (18.5.5), v19.0 MR2 (19.0.2), and v19.5 GA.
To receive the most current security protections, users of previous Sophos Firewall versions must upgrade to supported versions.
Make sure the User Portal and Webadmin are not accessible through WAN as a workaround. As advised by Sophos, disabling WAN access to vulnerable components and using VPN or Sophos Central for remote access and management is the best practice available.