Thousands of Sophos servers are vulnerable to this dangerous exploit

>

VulnCheck cybersecurity researchers have claimed thousands of Internet-exposed servers with Sophos’ Firewall (opens in new tab) solution are vulnerable to a very serious flaw that could allow remote threat actors to execute malware.

The company recently released a report saying that after running a quick Shodan scan, it found more than 4,400 internet-exposed servers running Sophos Firewall vulnerable to CVE-2022-3236.

With a severity rating of 9.8, the vulnerability is a code injection vulnerability that could allow attackers to use the user portal and Webadmin to deliver and execute malware. The vulnerability was disclosed in September 2022 when a hotfix was released. Soon after, Sophos released a full-fledged patch and urged its users to apply it immediately.

Working exploit

Now, some four months later, there are still more than 4,000 endpoints that have not applied the patch, representing about 6% of all Sophos firewall instances, the researchers said.

“More than 99% of internet-facing Sophos firewalls have not been upgraded to versions with the official fix for CVE-2022-3236,” the announcement reads. “However, about 93% are running hotfix eligible versions, and the firewall’s default behavior is to automatically download and apply hotfixes (unless disabled by an administrator). It is likely that almost all servers eligible for a hotfix have received one, although errors can occur. That still leaves over 4,000 firewalls (or about 6% of Internet-facing Sophos Firewalls) running versions that have not received a hotfix and are therefore vulnerable.”

This, too, is not purely theoretical. The researchers said they built a working exploit alert that — if they could do it, the hackers could too. Some have even done it, which is why VulnCheck shared two indicators of a compromise – log files found in /logs/csc.log and /log/validationError.log. If any of these have the_discriminator field in a login request, chances are someone has tried to exploit the flaw. However, the log files cannot be used to determine whether the attempt was successful or not.

The good news is that authentication to the web client requires the attacker to complete a CAPTCHA, making mass attacks highly unlikely. However, targeted attacks are still very much possible.

“The vulnerable code is reached only after the CAPTCHA is validated. A failed CAPTCHA will cause the exploit to fail. While not impossible, solving CAPTCHAs programmatically is a major hurdle for most attackers. Most internet-facing Sophos firewalls appear to have the CAPTCHA login enabled, which means that even at the most opportune times, this vulnerability probably would not have been successfully widely exploited,” the researchers conclude.

Through: ArsTechnica (opens in new tab)

Related Post