A critical code injection vulnerability in Sophos Firewall was fixed – but not before criminals found the flaw and exploited it.
The bug traced as CVE-2022-3236 exists in the user portal and webadmin components of the firewall in versions 19.0 and earlier. While no CVSS severity score was awarded, Sophos deemed it “critical” and noted that it enabled remote code execution.
“Sophos has observed this vulnerability being used to target a small group of specific organizations, primarily in the South Asia region,” the vendor noted in one advisory this month. “We informed each of these organizations directly.”
The British security software vendor released hotfixes for supported versions (v17.0 to v19.0) last week and also provided a workaround which included the following Disable WAN access to the user portal and webadmin.
Sophos also said it is continuing the investigation and will provide more details at a later date.
As of Tuesday, the security shop’s blogs, which regularly describe vulnerabilities and exploits affecting other software vendors, had made no mention of its own critical firewall bug.
However, other software vendors and security researchers did weigh in to the Sophos bug, with a warning that there is a “high” chance of mass exploitation. At least 28 CISAs Known exploited vulnerabilities involve code injection, Immanuel Chavoya tweeted:
🚨 RCE In Sophos Firewall Exploited in the WildCVE-2022-3236 This has a HIGH chance of mass exploitation since the vulnerability is based on Code Injection (CWE-94) and if we look at that #CISA KEVs, at least 28 of which are related to code injection… pic.twitter.com/MgzXCWwgwr
— Immanuel Chavoya (@FullM3talPacket) September 23, 2022
And while Sophos has yet to say who it thinks exploited the flaw to target South Asian organizations, State sponsored by China Criminals were behind earlier attacks this year targeting a critical flaw in the Sophos Firewall.
Recorded Future was released just last week research Several campaigns have attributed it to crews with ties to Beijing, who were seen exploiting a bug in the software vendor’s Sophos Firewall Firmly In April.
This earlier critical remote code execution vulnerability tracked as CVE-2022-1040 was also used to target South Asian organizations. According to Recorded Future, at least three Chinese state-sponsored groups exploited this flaw to initially gain unauthorized access to victims’ networks.
Sophos for himself detection released in June, reported that at least two advanced persistent threat groups exploited CVE-2022-1040 before it was able to issue a patch. The bug was used to deliver malware on infected devices.
The malicious software allowed the attackers to install backdoor tools and steal sensitive data, among other nefarious activities; Write, read and manipulate files and settings on compromised devices; and in some cases gaining complete control over the environment in which it ran. ®
https://www.theregister.com/2022/09/28/sophos_firewall_code_injection/ Sophos fixes critical code injection bug in Exploit • The Register