Critical Security Update for Sophos Firewall

Critical security advisory addresses seven vulnerabilities including RCE

Threat ID:: CC-4223
Threat Severity:: Information only
Published:: 6 December 2022 2:08 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Critical security advisory addresses seven vulnerabilities including RCE

Affected platforms

The following platforms are known to be affected:

Versions: all prior to 19.5 GA

Sophos Firewall

Threat details

Introduction

Sophos has released a security update to address seven vulnerabilities affecting the Sophos Firewall. The critical vulnerability CVE-2022-3236 and three other high severity vulnerabilities are related to remote code execution (RCE). The medium and low severity vulnerabilities are related to privilege escalation and SQL injection. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

Exploitation in the wild

Sophos said exploitation for CVE-2022-3236, a code injection vulnerability allowing remote code execution, has been seen in the wild. CISA added it to their Known Exploited Vulnerabilities Catalog when the vulnerability was released.

Remediation advice

Affected organisations are encouraged to review the Sophos Security Update and upgrade the Sophos Firewall to the latest version.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2022-3236

A code injection vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v19.0 MR1 and older.

Status Published

CVE-2022-3226

An OS command injection vulnerability allows admins to execute code via SSL VPN configuration uploads in Sophos Firewall releases older than version 19.5 GA.

Status Published

CVE-2022-3713

A code injection vulnerability allows adjacent attackers to execute code in the Wifi controller of Sophos Firewall releases older than version 19.5 GA.

Status Published

CVE-2022-3696

A post-auth code injection vulnerability allows admins to execute code in Webadmin of Sophos Firewall releases older than version 19.5 GA.

Status Published

CVE-2022-3709

A stored XSS vulnerability allows admin to super-admin privilege escalation in the Webadmin import group wizard of Sophos Firewall releases older than version 19.5 GA.

Status Published

CVE-2022-3711

A post-auth read-only SQL injection vulnerability allows users to read non-sensitive configuration database contents in the User Portal of Sophos Firewall releases older than version 19.5 GA.

Status Published

CVE-2022-3710

A post-auth read-only SQL injection vulnerability allows API clients to read non-sensitive configuration database contents in the API controller of Sophos Firewall releases older than version 19.5 GA.

Last edited: 18 January 2023 2:27 pm