Thousands of Sophos servers are vulnerable to this dangerous exploit

Cyberattack
(Image credit: Future)

Cybersecurity researchers from VulnCheck have claimed thousands of internet-exposed servers running Sophos’ Firewall solution are vulnerable to a high-severity flaw that allows threat actors to remotely execute malware. 

The company recently published a report in which it says that after running a quick Shodan scan, found more than 4,400 internet-exposed servers with Sophos Firewall vulnerable to CVE-2022-3236.

With a severity rating of 9.8, the flaw is a code injection vulnerability that allows threat actors to use the User Portal and Webadmin to deliver and run malware. The vulnerability was publicized in September 2022 when a hotfix was released. Soon after, Sophos released a fully-fledged patch and urged its users to apply it immediately.

TechRadar Pro needs you! We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

Working exploit

Now, some four months later, there are still more than 4,000 endpoints that haven’t applied the patch, making up some 6% of all Sophos firewall instances, the researchers said.

“More than 99% of Internet-facing Sophos Firewalls haven't upgraded to versions containing the official fix for CVE-2022-3236,” the announcement reads. “But around 93% are running versions that are eligible for a hotfix, and the default behavior for the firewall is to automatically download and apply hotfixes (unless disabled by an administrator). It’s likely that almost all servers eligible for a hotfix received one, although mistakes do happen. That still leaves more than 4,000 firewalls (or about 6% of Internet-facing Sophos Firewalls) running versions that didn’t receive a hotfix and are therefore vulnerable.”

None of this is purely theoretical, either. The researchers said they built a working exploit warning that - if they could do it, so can the hackers. In fact, some might have done it already, which is why VulnCheck shared two indicators of compromise - log files found in /logs/csc.log, and /log/validationError.log. If any of these have the_discriminator field in a login request, chances are, someone tried to exploit the flaw. The log files can’t be used to determine if the attempt was successful or not, though. 

The good news is that during authentication to the web client, the attacker needs to complete a CAPTCHA, making mass attacks highly unlikely. Targeted attacks are still very much a possibility, however. 

“The vulnerable code is only reached after the CAPTCHA is validated. A failed CAPTCHA will result in the exploit failing. While not impossible, programmatically solving CAPTCHAs is a high hurdle for most attackers. Most Internet-facing Sophos Firewalls appear to have the login CAPTCHA enabled, which means, even at the most opportune times, this vulnerability was unlikely to have been successfully exploited at scale,” the researchers concluded. 

Via: ArsTechnica

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
The best free firewall
Sophos hotfixes remote code execution vulnerabilities in Firewall
Best free Linux firewalls
SonicWall tells admins to patch worrying SSLVPN flaw immediately
A VPN runs on a mobile phone placed on a laptop keyboard
SonicWall firewalls hit by worrying cyberattack
An illustration of a hand holding a set of keys in front of a laptop, accompanied by a padlock symbol, fingerprint, and key.
Thousands of SonicWall VPN devices are facing worrying security threats
The best free firewall
Palo Alto Networks PAN-OS sees authentication bypass under attack from hackers
Best free Linux firewalls
Fortinet warns a critical vulnerability in its systems could let attackers breach company networks
Latest in Security
An American flag flying outside the US Capitol building against a blue sky
The FCC is creating a security council to bolster US defenses against cyberattacks
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Meta warns of worrying security flaw hitting open source type software
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone
Biometrics add another layer of security to passwordless authentication
Data leak
Hacked Tata Technologies data leaked by ransomware gang
Latest in News
Google Gemini Flash 2.0 Images
I tried Gemini's new AI image generation tool - here are 5 ways to get the best art from Google's Flash 2.0
An image of the Samsung Galaxy S25 Ultra from a hands-on event
Samsung Galaxy S26 Ultra could resurrect an intriguing camera feature
Eurocom Raptor X18
At $15,000, this massive 256GB RAM laptop makes Apple's MacBook Pro look affordable, tiny and very, very slow
Cristin Milioti in Black Mirror season 7
Netflix launches trailer for Black Mirror season 7, giving us a look at its first-ever sequel episode and an unexpected returning character
A graphic of the PC Gaming Show
Get ready for a bounty of PC games on June 8, as the PC Gaming show is back
A close up of The Daily podcast from Pocket Casts' web page
‘Podcasting shouldn’t be locked behind walled gardens’: Pocket Casts slams Spotify and makes its web player free to all