British-based cybersecurity vendor Sophos warned that a recently patched Sophos Firewall bug allowing remote code execution (RCE) is now actively exploited in attacks.
The security flaw is tracked as CVE-2022-1040, and it received a critical severity rating with a 9.8/10 CVSS base score.
It enables remote attackers to bypass authentication via the firewall’s User Portal or Webadmin interface and execute arbitrary code.
The vulnerability was discovered and reported by an anonymous researcher who found that it impacts Sophos Firewall v18.5 MR3 (18.5.3) and older.
“Sophos has observed this vulnerability being used to target a small set of specific organizations primarily in the South Asia region,” the company said in an update to the original security advisory.
“We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate.”
Hotfixes and workarounds
To address the critical bug, Sophos released hotfixes that should be automatically deployed to all vulnerable devices since the ‘Allow automatic installation of hotfixes’ feature is enabled by default.
However, hotfixes released for end-of-life versions of Sophos Firewall must manually upgrade to patch the security hole and defend against the ongoing attacks.
For these customers and those who have disabled automatic updates, there’s also a workaround requiring them to secure the User Portal and Webadmin interfaces by restricting external access.
“Customers can protect themselves from external attackers by ensuring their User Portal and Webadmin are not exposed to WAN,” Sophos added.
“Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central for remote access and management.”
In the wild exploitation of Sophos Firewall bugs
Sophos provides detailed information on enabling the automatic hotfix installation feature and checking if the hotfix was successfully deployed.
After toggling on automatic hotfix installation, Sophos Firewall will check for new hotfixes every thirty minutes and after restarts.
Patching your Sophos Firewall instances is critically important especially since they have been previously exploited in the wild, with threat actors abusing an XG Firewall SQL injection zero-day starting with early 2020.
Asnarök trojan malware was also used to exploit the same zero-day to try and steal firewall credentials from vulnerable XG Firewall instances.
The zero-day was also exploited in attacks attempting to push Ragnarok ransomware payloads onto Windows enterprise networks.