Sophos, a well-known cybersecurity firm, recently announced the successful resolution of three critical vulnerabilities within its Sophos Firewall solution. These vulnerabilities, officially tracked as CVE-2024-12727, CVE-2024-12728, and CVE-2024-12729, posed significant risks including SQL injection, privileged SSH access to devices, and remote code execution.
The first vulnerability, CVE-2024-12727, was rated with a CVSS score of 9.8 and identified as a pre-auth SQL injection flaw within Sophos Firewall’s email protection system. This vulnerability had the potential to allow remote code execution if the SPX feature was enabled in conjunction with HA mode, impacting approximately 0.05% of devices. Following this, CVE-2024-12728 scored 9.8 on the CVSS scale and was designated as a non-random SSH passphrase issue for HA cluster setups on Sophos Firewall. This flaw left privileged accounts exposed on approximately 0.5% of affected devices. Lastly, CVE-2024-12729, with a CVSS score of 8.8, was pinpointed as a post-auth code injection flaw in the User Portal, enabling authenticated users to execute code remotely on older versions of Sophos Firewall.
The company had promptly addressed these vulnerabilities and shared details and remediation guidance in an advisory. Customers who had enabled the “Allow automatic installation of hotfixes” feature on the updated versions were not required to take any additional action. The default setting for this feature was already enabled.
To mitigate the risks associated with the SSH vulnerability (CVE-2024-12728), Sophos recommended restricting SSH access to the dedicated HA link and utilizing a strong, random passphrase. For the code injection flaw in the User Portal (CVE-2024-12729), users were advised to avoid exposing it to the WAN for added security.
Fortunately, Sophos confirmed that it had not detected any active exploit attempts targeting these vulnerabilities in the wild. However, the company had been working rigorously to address security concerns, especially in light of previous incidents.
Earlier this year, Chinese national Guan Tianfeng was charged by the U.S. for hacking thousands of Sophos firewall devices globally in 2020. Guan Tianfeng, also known as gbigmao and gxiaomao, had reportedly worked at Sichuan Silence Information Technology Co. and was responsible for developing and testing a zero-day exploit that affected around 81,000 firewalls. This exploit, labeled as CVE-2020-12271, allowed hackers to compromise systems, steal data, and encrypt files to impede remediation efforts.
Sophos had previously faced a similar situation in April 2020 when an emergency patch was released to address an SQL injection zero-day vulnerability in its XG Firewall product. Hackers had exploited this flaw to gain unauthorized access to exposed devices, prompting immediate action from the cybersecurity firm.
The company diligently investigated these incidents and took steps to enhance security measures to prevent future breaches. By promptly addressing vulnerabilities and offering clear guidance to customers, Sophos aims to prioritize the protection and security of its users’ data and systems.
As the threat landscape continues to evolve, vigilance and proactive security measures are essential to safeguard against potential cyber threats. Sophos remains committed to staying ahead of emerging risks and vulnerabilities to ensure the ongoing safety and security of its customers and their critical assets.