3rd Party Risk Management , Application Security , Governance & Risk Management

Sophos Patches Critical RCE Bug Exploited in the Wild

Targets Are a Small Set of Specific Organizations Primarily in South Asia
Sophos Patches Critical RCE Bug Exploited in the Wild
Source: Sophos

Sophos says it has provided a fix to a critical RCE bug known to be actively exploited primarily in South Asia. Sophos says no action is required by its Firewall customers if the "Allow automatic installation of hotfixes" feature is enabled. Although this feature is enabled by default, versions close to their end of life receive hotfixes that need manual configuration.

See Also: Application Logging Challenges in Information Security

The Vulnerability

The vulnerability, which is now tracked as CVE-2022-1040, has a CVSS rating of 9.8 and was reported to Sophos responsibly by an unnamed external security researcher through its bug bounty program, Sophos says in its security advisory.

The bug is an authentication bypass vulnerability in the User Portal and Webadmin of Sophos Firewall and allows a remote attacker to execute code in all of its versions prior to v18.5 MR3 (18.5.3).

The Targets

Sophos did not mention the names of the organizations that were targeted, but with a high confidence disclosed the region to which they belong. "Sophos has observed this vulnerability being used to target a small set of specific organizations primarily in the South Asia region. We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate," it says in the advisory.

Because the vulnerability is severe and has been disclosed in the open by Sophos, several CERTs and cyber agencies in Europe have issued alerts to check and patch the CVE-2022-1040 vulnerability manually, based on the current version installed.

The Australian Cyber Security Center issued an alert today, asking Australian organizations to apply the necessary patches at the earliest opportunity as a precautionary measure. ACSC also confirmed that attempts at exploitation were made, but no successful incidents have yet been reported. The security alert has a "high" alert status.

The ACSC says that it "is monitoring the situation and is able to provide assistance or advice as required."

Fixes and Workarounds

The following are the hotfixes and corresponding versions - supported and unsupported - issued by Sophos:

  • Hotfixes for v17.0 MR10 EAL4+, v17.5 MR16 and MR17, v18.0 MR5(-1) and MR6, v18.5 MR1 and MR2, and v19.0 EAP - published on March 23;
  • Hotfixes for unsupported EOL versions v17.5 MR12 through MR15, and v18.0 MR3 and MR4 - published on March 23;
  • Hotfixes for unsupported EOL version v18.5 GA - published on March 24;
  • Hotfixes for v18.5 MR3 - published on March 24;
  • Fix included in v19.0 GA and v18.5 MR4 (18.5.4).

Sophos says it has a possible workaround to secure User Portal and Webadmin interfaces for customers who are using end-of-life versions and those who have disabled automatic updates.

"Customers can protect themselves from external attackers by ensuring their User Portal and Webadmin are not exposed to WAN," Sophos' advisory says. "Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central for remote access and management."

Sophos has also asked users of the older version of Sophos Firewall to upgrade their products and solutions to receive the latest protections, including the current and future fixes.


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.