WARNING: MULTIPLE VULNERABILITIES WERE PATCHED IN THE SOPHOS FIREWALL. PATCH IMMEDIATELY!
CVE-2024-12727
CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-12728
CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-12729
CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Bronnen
Risico’s
Sophos has released hotfixes to address three security flaws in Sophos Firewall products that could be exploited to achieve privilege escalation or Remote Code Execution (RCE).
- CVE-2024-12727: A pre-authentication SQL injection vulnerability (CVSS 9.8) that could lead to Remote Code Execution (RCE) in specific configurations.
- CVE-2024-12728: A weak, not random SSH login passphrase vulnerability (CVSS 9.8) that could allow privilege escalation in High Availability (HA) setups.
- CVE-2024-12729: A post-authentication code injection vulnerability (CVSS 8.8) enabling RCE for authenticated users.
The first two vulnerabilities, CVE-2024-12727 & CVE-2024-12728, are classified as Critical, while the last one, CVE-2024-12729, is rated High. There is currently no evidence of these vulnerabilities being exploited in the wild.
Beschrijving
These vulnerabilities affect Sophos Firewall v21.0 GA (21.0.0) and older versions.
- CVE-2024-12727 (CVSS 9.8) – Pre-Auth SQL Injection Leading to RCE
A critical pre-authentication SQL injection vulnerability in the email protection feature of Sophos Firewall could allow attackers to access the reporting database and potentially lead to Remote Code Execution (RCE). This vulnerability requires specific configurations, such as having Secure PDF eXchange (SPX) enabled and the firewall operating in High Availability (HA) mode. While it affects a small percentage of devices, it poses a significant risk for those impacted.
- CVE-2024-12728 (CVSS 9.8) – Weak SSH Login Passphrase Resulting in Privilege Escalation
This vulnerability arises from using a suggested, non-random SSH login passphrase during High Availability (HA) cluster initialization. Sophos discovered that the passphrase remained active after the HA setup, potentially exposing a privileged system account if SSH is enabled.
- CVE-2024-12729 (CVSS 8.8) – Post-Auth Code Injection Enabling RCE
A post-authentication code injection vulnerability in the User Portal of Sophos Firewalls. This vulnerability can be exploited by users with valid credentials and can lead to Remote Code Execution (RCE).
Sophos has patched all three vulnerabilities. More information in their advisory: https://www.sophos.com/en-us/security-advisories/sophos-sa-20241219-sfos-rce
Aanbevolen acties
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/nl/cert/een-incident-melden.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.