4,000+ buggy Sophos firewalls still vulnerable to RCE flaw • The Register

Greater than 4,000 public-facing Sophos firewalls stay weak to a crucial distant code execution bug disclosed final yr and patched months later, in line with safety researchers.

The flaw, CVE-2022-3236, had already been exploited as a zero-day when Sophos published a safety advisory in regards to the vulnerability in September 2022. On the time, the seller said the opening had been abused to focus on “a small set of particular organizations, primarily within the South Asia area.” 

The vulnerability may be exploited to achieve management of a tool, which might then be commandeered to probe and assault the community or exterior targets.

Sophos initially issued a hotfix for some variations of the firewall, after which launched an formal update that squashed the bug in December 2022.

Regardless of that software program replace, nevertheless, “greater than 99 % of internet-facing Sophos Firewalls have not upgraded to variations containing the official repair for CVE-2022-3236,” in line with VulnCheck researchers, who wrote their very own proof-of-concept exploit and scanned internet-facing Sophos firewalls to find out how doubtless mass exploitation truly is.

Round 93 % of the firewalls are eligible for the hotfix, which is utilized by default except disabled by an admin. So these firewalls doubtless acquired the repair, “though errors do occur,” VulnCheck researcher Jacob Baines wrote. 

“That also leaves greater than 4,000 firewalls (or about 6 % of internet-facing Sophos Firewalls) operating variations that did not obtain a hotfix and are subsequently weak,” he mentioned.

As of late final week, no public proof-of-concept exploits exist for CVE-2022-3236, in line with Baines. However this should not present an excessive amount of consolation for anybody operating unpatched variations. Because the bug hunter famous: “it is solely a matter of time earlier than one thing is made public.”

The safety store additionally revealed a few log recordsdata with indicators of exploitation makes an attempt, that are price trying out to assist decide in case your firewall has been compromised. With each, the presence of the “_discriminator” subject within the login request “is enough to detect an exploit try,” in line with the menace hunters.

Moreover — here is the silver lining — there are limits to mass exploitation due to a CAPTCHA required by default to achieve entry. An attacker can solely attain the buggy code after efficiently finishing the I-am-a-human take a look at. 

This is superb information for the 4,000-plus containers operating weak Sophos code.

“Whereas not not possible, programmatically fixing CAPTCHAs is a excessive hurdle for many attackers,” Baines mentioned. “Most internet-facing Sophos Firewalls seem to have the login captcha enabled, which suggests, even on the most opportune occasions, this vulnerability was unlikely to have been efficiently exploited at scale.” ®