Sophos hotfixes remote code execution vulnerabilities in Firewall

The best free firewall
(Image credit: Shutterstock)

  • Sophos says it found, and patched, three flaws in its firewall product
  • The flaws allowed for RCE and privilege escalation
  • Sophos Firewall customers have hotfixes enabled by default, meaning there is no further action to take if this is enabled

Sophos has recently discovered, and patched, three bugs in its Firewall product, noting that as the tool has hotfixes enabled by default, there is no further action necessary from the user side. Mitigation workarounds are available, as well.

A security advisory from the company notes the three vulnerabilities can be abused for remote code execution, privileged system access, and more. Two of the flaws were given a critical severity score (9.8), with the third one being high-severity (8.8).

Multiple versions of the Sophos Firewall were said to be affected, although different versions seem to be susceptible to different flaws. Still, the company urges all users to bring their endpoints to the latest version and avoid getting targeted.

Workaround possible

Patching also differs, depending on the vulnerability in question. For CVE-2024-12727 users should launch Device Management, navigate to Advanced Shell from the Sophos Firewall console, and run the command "cat /conf/nest_hotfix_status".

For the remaining two flaws, users should launch Device Console from the Sophos Firewall console, and run the command "system diagnostic show version-info".

Users that cannot apply the patch should at least apply the suggested workaround, which includes restricting SSH access to only the dedicated HA link that is physically separate. Furthermore, users should reconfigure HA using a sufficiently long and random custom passphrase.

Finally, they can disable WAN access via SSH, and make sure that the User Portal and Webadmin are not exposed to WAN.

Further details about the bugs, including the CVEs, can be found on this link.

"Sophos has released hotfixes to address three remote code execution vulnerabilities," the company told TechRadar Pro in a statement. "Sophos Firewall customers have hotfixes enabled by default, meaning there is no further action to take if this is enabled. Sophos is not aware of any exploitation of these vulnerabilities. It’s important to note that a very small number of firewalls were potentially at risk."

"We encourage users to check the KBA and Security Advisory and Firewall users can use this link to verify if the hotfix was applied to your firewall."

Firewalls are major targets in cyberattacks because they act as the primary gatekeepers between internal networks and external threats, making them critical points of defense for sensitive data and systems.

Compromising a firewall can grant attackers privileged access to a network, bypassing security controls and exposing the entire system to further exploitation. Additionally, firewalls often hold valuable configuration data and access credentials, which attackers can leverage to escalate their attacks or maintain persistent access.

Via The Hacker News

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.