Cybersecurity researchers from VulnCheck have claimed thousands of internet-exposed servers running Sophos firewall (opens in new tab) solution are vulnerable to a fatal bug that allows attackers to run malware remotely.
The company recently released a report stating that a quick Shodan scan found more than 4,400 Internet exposed individuals server with Sophos Firewall vulnerable to CVE-2022-3236.
With a severity of 9.8, the bug is a code injection vulnerability that allows attackers to use the user portal and webadmin to deploy and execute malware. The vulnerability was disclosed in September 2022 when a hotfix was released. Soon after, Sophos released a full-fledged patch and urged its users to apply it immediately.
Working exploit
Now, about four months later, there are still more than 4,000 endpoints that haven’t applied the patch, accounting for about 6% of all Sophos firewall instances, the researchers said.
“More than 99% of internet-facing Sophos firewalls have not been updated to versions that include the official fix for CVE-2022-3236,” the announcement said. “But around 93% are running versions eligible for a hotfix, and the default behavior of the firewall is to download and apply hotfixes automatically (unless disabled by an administrator). It’s likely that nearly all servers eligible for a hotfix have received one, although bugs do happen. This leaves more than 4,000 firewalls (or around 6% of internet-facing Sophos Firewalls) still running versions that have not received a hotfix and are therefore vulnerable.”
None of this is purely theoretical either. The researchers said they built a working exploit that warns that if they could, so could the hackers. In fact, some may have already done so, which is why VulnCheck shared two indicators of compromise – log files found in /logs/csc.log and /log/validationError.log. If one of these bugs includes the_Discriminator field in a login request, chances are someone was trying to exploit the bug. However, the log files cannot be used to determine whether the attempt was successful or not.
The good news is that the attacker has to fill out a CAPTCHA while authenticating with the web client, making mass attacks very unlikely. However, targeted attacks are still possible.
“The vulnerable code is only reached after the CAPTCHA is validated. A failed CAPTCHA will cause the exploit to fail. Solving CAPTCHAs programmatically is not impossible, but it is a high hurdle for most attackers. Most internet-facing Sophos firewalls appear to have login CAPTCHA enabled, meaning this vulnerability is unlikely to have been successfully exploited at scale even in the best of times,” the researchers concluded.
Above: ArsTechnica (opens in new tab)
