Sophos warns of an actively attacked vulnerability in the company’s firewalls. The cybercriminals can inject malicious code from the internet into the user portal and the webadmin interface. The vulnerability has already received an entry in the Common Vulnerabilities and Exposures database (CVE-2022-3236, CVSS 9.8Risk “critical“). Updates to close the gap are ready.
Attacks on some companies observed
The manufacturer also explains that the vulnerability was exploited to specifically attack some organizations, primarily in South Asia. The organizations concerned have informed Sophos directly. However, investigations were still ongoing. The manufacturer wants to publish details in the course of this; so far none are available.
However, updates to patch the vulnerability are already available. If the option “Allow automatic installation of hotfixes” is active – according to Sophos the default setting – the bug-fixed software will be downloaded and installed automatically.
Those are affected Sophos Firewalls 9.0 MR1 (19.0.1) and older versions. The bugs clean hotfixes 19.0 GA, MR1 and MR1-1, 18.5 GA, MR1, MR1-1, MR2, MR3 and MR4, 18.0 MR3, MR4, MR5 and MR6, 17.5 MR12, MR13, MR14, MR15, MR16 and MR17 and 17.0 MR10. The fix is also included in versions 18.5 MR5 (18.5.5), 19.0 MR2 (19.0.2) and 19.5 GA.
According to the security notification, Sophos does not provide any hotfixes for older software versions, but points out that administrators must upgrade to a version that is still supported. However, the company also mentions a workaround so that the vulnerability is not exposed on the Internet. To do this, administrators should ensure that the user portal and the webadmin interface are not accessible in the WAN. To access it, IT managers should better rely on VPN and/or Sophos Central.
Most recently, security gaps in Sophos Firewalls were actively attacked about six months ago. At that time, too, organizations from the South Asian area were primarily the target of the malicious actors.
To home page