Sophos has issued critical hotfixes for its firewall products to address three security vulnerabilities that could potentially allow remote code execution and system access by unauthorized attackers. Two of these vulnerabilities, CVE-2024-12727 and CVE-2024-12728, are particularly severe, with CVSS scores of 9.8. CVE-2024-12727 involves a pre-authentication SQL injection vulnerability in the email protection feature, which, when combined with a specific configuration in Secure PDF eXchange (SPX) and High Availability (HA) mode, could lead to remote code execution. CVE-2024-12728 concerns weak credentials for SSH login passphrases in the HA setup, leaving accounts with privileged access exposed even after the HA process is completed.
The third vulnerability, CVE-2024-12729, is a post-authentication code injection flaw in the User Portal, which allows authenticated users to execute malicious code. These vulnerabilities impact Sophos Firewall versions 21.0 GA and older, affecting approximately 0.05% to 0.5% of devices. Although no exploitation has been reported, the flaws present a significant risk, especially in environments where these firewalls are deployed with certain configurations. Sophos has promptly addressed these flaws with hotfixes and recommends that users apply them immediately to secure their systems.
Sophos has provided clear instructions to ensure the hotfixes are applied. For CVE-2024-12727, users are advised to run a command in the Sophos Firewall console to verify the hotfix status. Similarly, for CVE-2024-12728 and CVE-2024-12729, users should check the system diagnostic version info to confirm the successful application of the patches. For those unable to apply the hotfixes immediately, Sophos has suggested temporary workarounds, such as restricting SSH access to a dedicated HA link or disabling WAN access to SSH and the User Portal.
The timely release of these hotfixes underscores the importance of proactive security measures in safeguarding network infrastructure. Organizations using Sophos Firewalls are strongly encouraged to implement the updates as soon as possible to prevent any potential exploitation of these vulnerabilities. This release follows the recent high-profile incident in which a Chinese national was charged for exploiting a separate zero-day flaw in Sophos firewalls, which had compromised over 80,000 devices globally.
Reference: