CVE-2022-3236 – Remote Code Execution Vulnerability in Sophos Firewall

Share :

On Friday 23 September 2022, Sophos disclosed a critical code injection vulnerability impacting Sophos Firewall. This vulnerability, assigned CVE-2022-3236, affects Sophos Firewall versions v19.0 MR1 (19.0.1) and older and could lead to remote code execution. In order for a threat actor to exploit this vulnerability, WAN access would need to be enabled for the Webadmin and User Portal consoles.  

Sophos claims they have observed active exploitation of this vulnerability in a small set of organisations in the South Asia region. Threat Actors have also historically targeted Sophos Firewall vulnerabilities, as CISA’s Known Exploited Vulnerabilities Catalog currently has four similar vulnerabilities impacting Sophos Firewall.

We strongly recommend applying the relevant security patches to impacted devices to remediate the vulnerability and prevent potential exploitation.  

CVE-2022-3236 Recommendations 

Arctic Wolf strongly recommends updating and verifying the firmware patch is applied. For the organisations who are not able to apply the patch, Sophos has also provided a workaround that disables WAN access to the Webadmin and User Portal consoles. For the organisations who are running older versions than what has been patched, Sophos recommends upgrading Sophos Firewall to receive the latest protections, influencing this fix. 

Note: Sophos has said that there is no action required for Sophos Firewall customers with the “Allow automatic installation of hotfixes” feature enabled. However, Arctic Wolf strongly recommends reviewing Recommendation #3 in this case. 

Recommendation #1: Verify Hotfix Installation 

Sophos has a support document detailing a command to check if the hotfix is applied here: https://support.sophos.com/support/s/article/KB-000044539?language=en_US  

Recommendation #2: Apply Hotfix Provided by Sophos 

If the results of the command state “Hotfix isn’t applied”, Sophos has provided the following hotfixes that can be applied to remediate this vulnerability: 

  • Hotfixes for the following versions were published on September 21, 2022: 
    • v19.0 GA, MR1, and MR1-1 
    • v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4 
  • Hotfixes for the following versions were published on September 23, 2022: 
    • v18.0 MR3, MR4, MR5, and MR6 
    • v17.5 MR12, MR13, MR14, MR15, MR16, and MR17 
    • v17.0 MR10 
  • Fix included in v18.5 MR5 (18.5.5), v19.0 MR2 (19.0.2), and v19.5 GA 

Note: Users of older versions of Sophos Firewall are required to upgrade to receive the latest protections and this fix. 

Recommendation #3: Disable WAN Access to User Portal & Webadmin 

Sophos recommends disabling WAN access to the User Portal and Webadmin consoles by following device access best practices. Instead, the use of a VPN and/or Sophos Central is suggested to be used for remote access and management. 

References 

  1. Sophos Advisory 
James Liolios

James Liolios

James Liolios is a Senior Threat Intelligence Researcher at Arctic Wolf, where he keeps a watchful eye on the latest threats and threat actors to understand the potential impact to Arctic Wolf customers. He has a background of 9 years' experience in many areas of cybersecurity, holds a bachelor's degree in Information Security, and is also CISSP certified.
Share :
Table of Contents
Categories