Sophos fixes critical firewall bug exploited in attacks
Companies in Asia attacked as Sophos recommends users of older versions of its firewall to update their software
The British security software vendor Sophos says it has addressed a code injection flaw, tracked as CVE-2022-3236, which existed in the company's firewall products and allowed threat actors to achieve remote code execution.
The company said it saw the security weakness being exploited by miscreants to target a small set of specific organisations, mostly in the South Asia region.
The vendor has notified each of these entities directly and has pushed the hotfix to clients who have enabled automatic hotfix installation on their systems.
CVE-2022-3236 affects the User Portal and Webadmin components of the firewall in versions 19.0 MR1 (19.0.1) and earlier. If successfully exploited, the bug enables remote code execution on the targeted vulnerable installation.
Last week, Sophos released hotfixes for the following supported versions (v17.0 through v19.0):
- v19.0 GA, MR1, and MR1-1
- v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4
- v18.0 MR3, MR4, MR5, and MR6
- v17.5 MR12, MR13, MR14, MR15, MR16, and MR17
- v17.0 MR10
Additionally, a fix is included in v18.5 MR5 (18.5.5), v19.0 MR2 (19.0.2), and v19.5 GA.
Sophos offered a workaround that entails blocking WAN access to the User Portal and Webadmin. For remote access and administration, the company recommends using a VPN or the Sophos Central console.
Moreover, the company recommends users of older versions of Sophos Firewall to update their software to receive the latest security protections.
The firm said that it is still conducting its investigation and will provide more information later.
CVE-2022-3236 is now included in CISA's list of known Exploited Vulnerabilities (KEV) catalogue, so US federal civilian executive branch agencies are required to patch it.
Immanuel Chavoya, a threat researcher, said CVE-2022-3236 had a high possibility of being exploited because it was code injection vulnerability.
CVE-2022-3236 is not the first Sophos Firewall flaw to be disclosed while under active exploitation.
Recorded Future last week released a detailed analysis on several campaigns that it said were carried out by threat groups with ties to Beijing, who were seen exploiting a remote code execution bug in Sophos Firewall that the vendor fixed in April.
The bug, tracked as CVE-2022-1040, was also used to target many entities in South Asia.
At least three Chinese state-sponsored groups used this vulnerability to acquire initial unauthorised access to victims' networks, said Recorded Future.
In its own analysis, which was released in June, Sophos revealed that at least two advanced persistent threat groups had exploited CVE-2022-1040 before the company could provide a fix for the vulnerability.
The vulnerability had been exploited to deploy malware on machines that were already compromised.