Headline
Web security flaw in Sophos Firewall patched
Code injection vulnerability harnessed in attacks on south Asia
John Leyden 26 September 2022 at 14:02 UTC
Updated: 27 September 2022 at 08:50 UTC
Code injection vulnerability harnessed in attacks on south Asia
A recently resolved vulnerability in Sophos Firewall has been abused by attackers in targeted attacks, the vendor warns.
The critical vulnerability (CVE-2022-3236) poses a remote code execution (RCE) risk.
Sophos Firewall v19.0 MR1 (19.0.1) and older are potentially vulnerable to the security bug in the User Portal and Webadmin of Sophos Firewall.
Catch up on the latest network security news
In a security advisory published on Friday (September 23), Sophos said that it has issued a patch that installs automatically in default installations of its firewall technology.
This is just as well given the vulnerability has already featured in attacks in the wild.
“Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region,” the vendor’s advisory said. “We have informed each of these organizations directly.
“Sophos will provide further details as we continue to investigate,” it added.
Short of applying a patch, the vulnerability might be mitigated by disabling WAN access to the User Portal and Webadmin, Sophos advises.
The Daily Swig asked Sophos to explain in what ways the vulnerability has been exploited and how the problem was discovered.
In response, Sophos said it was alerted about the zero-day vulnerability by one of its customers. The vendor went on to reiterate that few of its customers were affected by the problem – without saying what issues they may have faced:
A customer notified Sophos, at which time Sophos took immediate steps to issue a hotfix, which was already applied last week. This only affected an extremely small subset of organizations.
The vulnerability is noteworthy since it represents a web security flaw in a network security product.
One infosec observer warned that the flaw is of the type that might lend itself to widespread abuse.
“This has a HIGH chance of mass exploitation, given the vulnerability is based on Code Injection (CWE-94) and if we look at the #CISA KEVs, at least 28 of those are Code Injection related,” said threat researcher Immanuel Chavoya in a post about the vulnerability on Twitter.
YOU MAY ALSO LIKE Vendor disputes seriousness of firewall plugin RCE flaw
Related news
The APT, aka Earth Estries, is one of China's most effective threat actors, performing espionage for sometimes years on end against telcos, ISPs, and governments before being detected.
The U.S. Federal Bureau of Investigation (FBI) has sought assistance from the public in connection with an investigation involving the breach of edge devices and computer networks belonging to companies and government entities. "An Advanced Persistent Threat group allegedly created and deployed malware (CVE-2020-12271) as part of a widespread series of indiscriminate computer intrusions designed
Microsoft released its final set of Patch Tuesday updates for 2023, closing out 33 flaws in its software, making it one of the lightest releases in recent years. Of the 33 shortcomings, four are rated Critical and 29 are rated Important in severity. The fixes are in addition to 18 flaws Microsoft addressed in its Chromium-based Edge browser since the release of Patch
Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.
Plus: WhatsApp plugs holes that could be used for remote execution attacks, Microsoft patches a zero-day vulnerability, and more.
Vendor patches code injection vulnerability harnessed in attacks on south Asia
Security software company Sophos has warned of cyberattacks targeting a recently addressed critical vulnerability in its firewall product. The issue, tracked as CVE-2022-3236 (CVSS score: 9.8), impacts Sophos Firewall v19.0 MR1 (19.0.1) and older and concerns a code injection vulnerability in the User Portal and Webadmin components that could result in remote code execution. The company said it