Sophos has addressed three vulnerabilities in its Sophos Firewall product that would permit distant unauthenticated risk actors to carry out SQL injection, distant code execution, and achieve privileged SSH entry to units.
The vulnerabilities have an effect on Sophos Firewall model 21.0 GA (21.0.0) and older, with the corporate already releasing hotfixes which can be put in by default and everlasting fixes by means of new firmware updates.
The three flaws are summarized as follows:
- CVE-2024-12727: A pre-authentication SQL injection vulnerability within the e mail safety function. If a selected configuration of Safe PDF eXchange (SPX) is enabled together with Excessive Availability (HA) mode, it permits entry to the reporting database, doubtlessly resulting in RCE.
- CVE-2024-12728: The recommended, non-random SSH login passphrase for HA cluster initialization stays lively after the method completes, leaving programs the place SSH is enabled weak to unauthorized entry on account of predictable credentials.
- CVE-2024-12729: An authenticated consumer can exploit a code injection vulnerability within the Person Portal. This enables attackers with legitimate credentials to execute arbitrary code remotely, growing the danger of privilege escalation or additional exploitation.
The firm says CVE-2024-12727 impacts roughly 0.05% of firewall units with the precise configuration required for exploitation. As for CVE-2024-12728, the seller says it impacts roughly 0.5% of units.
Accessible fixes
Hotfixes and full fixes had been made obtainable by means of numerous variations and dates, as follows:
Hotfixes for CVE-2024-12727 can be found since December 17 for variations 21 GA, v20 GA, v20 MR1, v20 MR2, v20 MR3, v19.5 MR3, v19.5 MR4, v19.0 MR2, whereas a everlasting repair was launched in v21 MR1 and newer.
Hotfixes for CVE-2024-12728 had been launched between November 26 and 27 for v21 GA, v20 GA, v20 MR1, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, and v20 MR2, whereas everlasting fixes are included in v20 MR3, v21 MR1 and newer.
For CVE-2024-12729, hotfixes had been launched between December 4 and 10 for variations v21 GA, v20 GA, v20 MR1, v20 MR2, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v19.0 MR3, and v20 MR3, and a everlasting repair is obtainable in v21 MR1 and later.
Sophos Firewall hotfixes are put in by default, however you will discover directions on find out how to apply them and validate that they had been efficiently put in by referring to KBA-000010084.
Sophos has additionally proposed workarounds for mitigating dangers related to CVE-2024-12728 and CVE-2024-12729 for individuals who can’t apply the hotfix or improve.
To mitigate CVE-2024-12728, it is suggested to restrict SSH entry solely to the devoted HA hyperlink that’s bodily separated from different community visitors and reconfigure the HA setup utilizing a sufficiently lengthy and random customized passphrase.
For distant administration and entry, disabling SSH over the WAN interface and utilizing Sophos Central or a VPN is usually beneficial.
To mitigate CVE-2024-12729, it is suggested that admins make sure the Person Portal and Webadmin interfaces will not be uncovered to the WAN.
Replace 12/20/24: Up to date article to elucidate that hotfixes are put in by default.