More than 4,000 public-facing Sophos firewalls remain vulnerable to a critical remote code execution bug disclosed last year and patched months later, according to security researchers.
The flaw, CVE-2022-3236, had already been exploited as a zero-day when Sophos published a security advisory about the vulnerability in September 2022. At the time, the vendor said the hole had been abused to target “a small set of specific organizations, primarily in the South Asia region.”
The vulnerability can be exploited to gain control of a device, which can then be commandeered to probe and attack the network or outside targets.
Sophos initially issued a hotfix for some versions of the firewall, and then released an formal update that squashed the bug in December 2022.
Despite that software update, however, “more than 99 percent of internet-facing Sophos Firewalls haven’t upgraded to versions containing the official fix for CVE-2022-3236,” according to VulnCheck researchers, who wrote their own proof-of-concept exploit and scanned internet-facing Sophos firewalls to determine how likely mass exploitation actually is.
Around 93 percent of the firewalls are eligible for the hotfix, which is applied by default unless disabled by an admin. So these firewalls likely received the fix, “although mistakes do happen,” VulnCheck researcher Jacob Baines wrote.
“That still leaves more than 4,000 firewalls (or about 6 percent of internet-facing Sophos Firewalls) running versions that didn’t receive a hotfix and are therefore vulnerable,” he said.
As of late last week, no public proof-of-concept exploits exist for CVE-2022-3236, according to Baines. But this shouldn’t provide too much comfort for anyone running unpatched versions. As the bug hunter noted: “it’s only a matter of time before something is made public.”
The security shop also published a couple of log files with indicators of exploitation attempts, which are worth checking out to help determine if your firewall has been compromised. With both, the presence of the “_discriminator” field in the login request “is sufficient to detect an exploit attempt,” according to the threat hunters.
Additionally — here’s the silver lining — there are limits to mass exploitation thanks to a CAPTCHA required by default to gain access. An attacker can only reach the buggy code after successfully completing the I-am-a-human test.
This is very good news for the 4,000-plus boxes running vulnerable Sophos code.
“While not impossible, programmatically solving CAPTCHAs is a high hurdle for most attackers,” Baines said. “Most internet-facing Sophos Firewalls appear to have the login captcha enabled, which means, even at the most opportune times, this vulnerability was unlikely to have been successfully exploited at scale.” ®