Over 4,000 Sophos firewall servers still vulnerable to code injection vulnerability

Miscreants could use the bug to launch remote code execution attacks

Over 4,000 Sophos firewall devices exposed to internet are vulnerable to a critical vulnerability that enables hackers to run malicious code on the target device.

This code injection vulnerability, tracked as CVE-2022-3236, was disclosed and patched by security software provider Sophos in September. The firm revealed at that time that the flaw was being exploited by miscreants to target a small set of specific organisations, mostly in the South Asia region.

CVE-2022-3236 has a severity rating of 9.8 out of 10 and it affects the User Portal and Webadmin components of the firewall in versions 19.0 MR1 (19.0.1) and earlier.

If successfully exploited, the bug enables remote code execution (RCE) on the targeted vulnerable installations.

When Sophos disclosed the bug in September, it released hotfixes for multiple versions of the Sophos Firewall. Three months later, in December 2022, Sophos announced official fixes for the flaw. The company advised users of older versions of Sophos Firewall to update their software to receive the latest security protections.

According to a new analysis by security company VulnCheck, more than 4,000 servers using the Sophos firewall are still vulnerable to CVE-2022-3236. This makes up around 6% of all Sophos firewalls, VulnCheck said, citing data from a Shodan search.

According to VulnCheck researcher Jacob Baines, more than 99% of Internet-facing Sophos firewalls haven't updated to versions containing the official patch for CVE-2022-3236. Of all firewall users, 93% are running versions that are eligible for a hotfix, and the firewall's default setting is to download and install hotfixes automatically - unless it is disabled by the admin.

"It's likely that almost all servers eligible for a hotfix received one, although mistakes do happen. That still leaves more than 4,000 firewalls (or about 6% of Internet-facing Sophos Firewalls) running versions that didn't receive a hotfix and are therefore vulnerable," Baines noted.

Fortunately, a proof-of-concept exploit for CVE-2022-3236 has not yet been made public online, despite the fact that vulnerability has already been exploited as a zero-day.

Baines said he was able to recreate a working exploit using technical details provided by Trend Micro's Zero Day Initiative (ZDI), making it probable that other threat actors will soon be able to do the same.

If exploit code becomes available, it will almost certainly spark a fresh round of attacks.

Baines advised Sophos firewall customers to keep their firewalls patched. He added that Sophos Firewall's default requirement for web clients to complete a CAPTCHA during authentication would probably prevent widespread exploitation of the weakness.

Attackers would need to include an automated CAPTCHA solver to get past this restriction and access the vulnerable code. "A failed CAPTCHA will result in the exploit failing," he said.

While it's not impossible, most attackers find it difficult to programmatically solve CAPTCHAs.

Patching Sophos Firewall vulnerabilities is vital, since this is not the first time such a vulnerability has been exploited in the wild.

In March 2022, Sophos released a fix for a major vulnerability in the User Portal and Webadmin modules of the Sophos Firewall that permitted authentication bypass and arbitrary code execution attacks.

The bug, tracked as CVE-2022-1040, was used to target many entities in South Asia.

At least three Chinese state-sponsored groups used this vulnerability to acquire initial unauthorised access to victims' networks.

In its own analysis published in June, Sophos said that at least two advanced persistent threat groups had exploited CVE-2022-1040 before the company could provide a fix for the vulnerability.