
Getty Images
More than 4,400 internet-facing servers are running versions of Sophos Firewall and are vulnerable to a severe exploit that allows hackers to execute malicious code, researchers warn.
CVE-2022-3236 is a code injection vulnerability that could allow remote code execution in the user portal and webadmin of Sophos Firewall. Severity is 9.8 out of 10. When Sophos disclosed the vulnerability last September, the company warned that the vulnerability was actually exploited as a zero-day. The security company installed a hotfix to prevent infections and urged customers to install a full-blown patch later.
More than 4,400 servers running Sophos’ firewall remain vulnerable, according to a recently published study. This accounts for about 6% of his total Sophos firewalls, security firm VulnCheck said, citing his Shodan search results.
“More than 99% of internet-facing Sophos Firewalls have not been upgraded to a version with an official fix for CVE-2022-3236,” writes VulnCheck researcher Jacob Baines. “However, approximately 93% are running a version targeted by the hotfix, and the firewall’s default behavior is to automatically download and apply the hotfix (unless an administrator disables it). The mistake is Although it does happen, almost all servers targeted for the hotfix may have received the hotfix, but over 4,000 firewalls (approximately 6% of Internet-facing Sophos firewalls) are not patched. You are running an unsupported version, which leaves you vulnerable.”
The researchers say they were able to create a working exploit for the vulnerability based on the technical description in this advisory from the Zero Day Initiative. An unspoken caveat of investigations: when exploit code is made public, there is no shortage of servers that can be infected.
Baines urged Sophos firewall users to make sure they applied the patch. He also advised users of vulnerable servers to check his two indicators of possible compromise. The first is the log file located at /logs/csc.log and the second is /log/validationError.log. He said that if a login request contained the_discriminator field, there was likely an attempt to exploit the vulnerability, whether successful or not.
The silver lining of the investigation is that large-scale exploitation is unlikely due to CAPTCHAs that must be completed during authentication by web clients.
“Vulnerable code must be reached only after the CAPTCHA has been verified,” Baines wrote. “If the CAPTCHA fails, the exploit will fail. While not impossible, resolving the CAPTCHA programmatically is a high hurdle for most attackers. It appears to be enabled, which means that even at the most opportune time, this vulnerability is unlikely to be exploited on a large scale.”