Sophos announced that the company has fixed a critical vulnerability in the Sophos Firewall solution. The vulnerability tracked as CVE-2022-1040, allowed remote code execution. The authentication bypass vulnerability is found in the User Portal and Webadmin areas of the firewall. Sophos published a security advisory for the vulnerability with a 9.8 CVSS score.
CVSS score: 9.8
Sophos stated that the vulnerability impacts Firewall versions 18.5 MR3 (18.5.3) and older. The vulnerability was reported via the Sophos bug bounty program by an external security researcher. If the “Allow automatic installation of hotfixes” feature is enabled, which is the default setting, there is no action required for Sophos customers.
Sophos also shared a workaround for the vulnerability. Users can protect themselves by ensuring their User Portal and Webadmin are not exposed to WAN. Users can disable WAN access o the User Portal and Webadmin by following device access best practices and use VPN and/or Sophos Central for remote access and management instead.
Remediation:
- Hotfixes for v17.0 MR10 EAL4+, v17.5 MR16 and MR17, v18.0 MR5(-1) and MR6, v18.5 MR1 and MR2, and v19.0 EAP published on March 23, 2022
- Hotfixes for unsupported EOL versions v17.5 MR12 through MR15, and v18.0 MR3 and MR4 published on March 23, 2022
- Hotfixes for unsupported EOL version v18.5 GA published on March 24, 2022
- Hotfixes for v18.5 MR3 published on March 24, 2022
- Fix included in v19.0 GA and v18.5 MR4 (18.5.4)
- Users of older versions of Sophos Firewall are required to upgrade to receive the latest protections and this fix