Skip links

Sophos fixes critical hijack flaw in firewall offering

Sophos has patched a remote code execution (RCE) vulnerability in its firewall gear that was disclosed via its bug-bounty program.

The supplier wrote in a brief notice on Friday that an authentication bypass flaw can be potentially exploited over the network or internet by miscreants to execute malicious code on a victim’s equipment, hijacking it effectively.

The flaw is present in the User Portal and Webadmin user interfaces of Sophos Firewall. This product, using its Xstream architecture, is supposed to both protect the network from unauthorized access and accelerate a company’s software-as-a-service, software-defined WAN, and cloud traffic. It offers a range of functions, including SSL/TLS decryption and monitoring, and deep packet inspection to detect ransomware communications and other signs of intrusions or intrusion attempts.

The critical vulnerability – tracked as CVE-2022-1040, and rated 9.8 out of 10 in terms of severity – has been addressed in a hotfix that is automatically installed for those who have the feature enabled. The vulnerable versions are Sophos Firewall v18.5 MR3 (18.5.3) and older. Sophos also offered a workaround, saying organizations can further protect themselves against outside attackers by ensuring the User Portal and Webadmin are not exposed to the WAN.


Sophos: Log4Shell would have been a catastrophe without the Y2K-esque mobilisation of engineers


If you’re running a supported version of Sophos Firewall, you can check to make sure you the latest hotfixes for v17.0 MR10 EAL4+, v17.5 MR16 and MR17, v18.0 MR5(-1) and MR6, v18.5 MR1 and MR2, and v19.0 EAP. There are also hotfixes for some unsupported EOL versions, and if there is no hotfix available for your installation, you’ll have to upgrade your software to get protected.

This situation is a reminder that, yes, while automatic updates are useful, an IT department needs a detailed inventory of its assets so that staff can identify which devices are out of date and require patching, and which devices that can’t even get patches anymore due to falling out of support. If your gateway suddenly can’t even get security fixes, and a bug like this one crops up, you’ll probably find out the hard way.

“The vast majority of companies have blind spots in their networks,” Greg Fitzgerald, co-founder of asset management startup Sevco Security, told The Register.

“These are the systems that don’t get patched and they continue to introduce significant risk to the networks they’re attached to. Patching known vulnerabilities is critically important, but if that patching strategy is not built on the foundation of an accurate IT asset inventory that reflects your true attack surface, it won’t be enough.”

Sophos runs its bug bounty program through Bugcrowd, a crowd-sourced security platform. The Sophos program offers rewards of $100 to $20,000 per vulnerability found. ®

Speaking of security… Google and Microsoft released Chrome and Edge updates on Friday that patched CVE-2022-1096, a type-confusion flaw in the V8 JavaScript engine. Google said exploit code for the programming blunder exists in the wild, and so you’re advised to update as soon as possible.

Ukraine’s biggest fixed line telecommunications company and ISP Ukrtelecom is, according to Forbes, under an intense cyber-attack – which could be a DDoS or an intrusion – that has disrupted its services and connectivity. This is being described as the biggest online attack against the country since it was invaded by Russia in late February.

Also, according to TechCrunch, Lapsus$ broke into the network of customer service giant Sitel in January and found, among other things, a file called DomAdmins-LastPass.xlsx that may have contained passwords for domain administrator accounts, exported from LastPass.