Sophos addressed three critical vulnerabilities in its Firewall product: CVE-2024-12727, CVE-2024-12728, and CVE-2024-12729. These vulnerabilities posed significant security risks, including remote code execution and unauthorized system access.
CVE-2024-12727
This pre-authentication SQL injection vulnerability was found in the email protection feature of Sophos Firewall versions before v21 MR1. It allowed attackers to access the reporting database and potentially execute remote code, particularly when a specific configuration of Secure PDF eXchange (SPX) was enabled alongside the firewall operating in High Availability (HA) mode. The vendor states that this vulnerability affects around 0.05% of firewall devices with the specific configuration needed for exploitation.
Remediated Versions:
- v21 MR1 and newer
- Hotfixes for: v21 GA, v20 GA, v20 MR1, v20 MR2, v20 MR3, v19.5 MR3, v19.5 MR4, v19.0 MR2
CVE-2024-12728
Identified as a weak credentials vulnerability, this flaw could have allowed privileged system access via SSH in Sophos Firewall versions older than v20 MR3. The vulnerability stemmed from using a suggested, non-random SSH login passphrase during HA cluster initialization, which remained active even after the HA setup was completed. According to the vendor, this issue impacted approximately 0.5% of devices.
Remediated Versions:
- v20 MR3, v21 MR1 and newer
- Hotfixes for: v21 GA, v20 GA, v20 MR1, v20 MR2, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2
CVE-2024-12729
This post-authentication code injection vulnerability was located in the User Portal of Sophos Firewall versions before v21 MR1. It allowed authenticated users to execute code remotely, posing a significant security threat.
Remediated Versions:
- v21 MR1 and newer
- Hotfixes for: v21 GA, v20 GA, v20 MR1, v20 MR2, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v19.0 MR3
Remediation and Recommendations
Sophos has released hotfixes and updates to address these vulnerabilities. For customers with the “Allow automatic installation of hotfixes” feature enabled (the default setting), no manual action is required. However, users operating older versions of Sophos Firewall are advised to upgrade to the latest supported versions to ensure protection.
Sophos also recommends the following best practices:
Disable WAN access to the User Portal and Webadmin.
Use VPN or Sophos Central for remote access and management.
To verify whether the necessary hotfixes have been applied to your firewall, refer to Sophos’s support article
Instantly Fix Risks with SanerNow Patch Management
SanerNow patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. SanerNow patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.