Skip to content

UPDATE: Sophos Firewall Critical Vulnerability - 20230120001

Overview

Since initial advice on the 8th of December 2022 (Ref: 20221208002), the WA SOC has observed a large number of internet connected devices are still vulnerable.

What is the vulnerability?

CVE-2022-3236: CVSS 9.8 - A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to conduct RCE in Sophos Firewall.

CVE-2022-3713: CVSS 8.8 - A code injection vulnerability that can allow an adjacent attacker to execute code in the Wi-Fi controller of Sophos Firewall.

CVE-2022-3709: CVSS 8.4 - A stored XSS vulnerability allows an administrator to super-administrator privilege escalation in the Webadmin import group wizard of Sophos Firewall.

CVE-2022-3696: CVSS 7.2 - A post-authentication code injection vulnerability that allows administrators to execute code in Webadmin of Sophos Firewall.

CVE-2022-3226: CVSS 7.2 - An OS command injection vulnerability allows admins to execute code via SSL VPN configuration uploads in Sophos Firewall.

CVE-2022-3711: CVSS 4.3 - A post-auth read-only SQL injection vulnerability allows users to read non-sensitive configuration database contents in the User Portal of Sophos Firewall.

What is vulnerable?

All versions of Sophos Firewall prior to v19.5 GA are considered vulnerable.

Recommendation

  1. Review the Sophos Advisory: https://www.sophos.com/en-us/security-advisories/sophos-sa-20221201-sfos-19-5-0.
  2. Ascertain if your version of Sophos Firewall is vulnerable.
  3. If vulnerable, patch immediately to avoid exploitation.