- In September last year, Sophos firewalls were found to be critically vulnerable to remote code execution attacks.
- Sophos took immediate action to release patches and hotfixes for the vulnerability that can be tracked as CVE-2022-3236.
- VulnCheck, a security company, states that there are more than 4,000 internet-facing Sophos firewall servers that are still vulnerable.
In September last year, we shared the news about the zero-day RCE vulnerability in the Sophos firewall, which can be tracked as CVE-2022-3236 and has a CVSS score of 9.8. It was a nasty bug found in the User Portal and Web Admin Console of Sophos firewall.
Sophos has taken immediate action to solve this issue by releasing a patch for the vulnerability. However, according to a whitepaper published by VulnCheck, a cybersecurity company, the vulnerability still exists on more than 4,400 Internet-facing Sophos servers. Since there were no public proof-of-concept exploits for this vulnerability, VulnCheck has decided to create its own PoC to measure the potential.
According to the post, more than 99% of the Internet-facing Sophos firewalls did not fully upgrade to the versions with the official fix. However, 93% of those are eligible for the hotfix Sophos provided, which is applied to the systems automatically by default. And the remaining 6% of the Sophos firewalls are vulnerable; it translates to approximately 4,400 instances.
VulnCheck states that the admins can check the log files in /logs/csc.log and /log/validationError.log to look for a login request with a _discriminator field; if it exists, that means someone tried to exploit this vulnerability.
The attackers need to pass a CAPTCHA before reaching the code and exploiting it, which means mass exploitation is almost impossible. However, targeted attacks are still a huge risk for the Internet-facing Sophos firewalls.