More than 4,000 public-facing Sophos firewalls remain vulnerable to a critical remote code execution bug disclosed last year and patched months later, according to security researchers.
The flaw, CVE-2022-3236, had already been exploited as a zero-day when Sophos published a security advisory about the vulnerability in September 2022. At the time, the vendor said the hole had been abused to target "a small set of specific organizations, primarily in the South Asia region."
The vulnerability can be exploited to gain control of a device, which can then be commandeered to probe and attack the network or outside targets.
Sophos initially issued a hotfix for some versions of the firewall, and then released an formal update that squashed the bug in December 2022.
Despite that software update, however, "more than 99 percent of internet-facing Sophos Firewalls haven't upgraded to versions containing the official fix for CVE-2022-3236," according to VulnCheck researchers, who wrote their own proof-of-concept exploit and scanned internet-facing Sophos firewalls to determine how likely mass exploitation actually is.
Around 93 percent of the firewalls are eligible for the hotfix, which is applied by default unless disabled by an admin. So these firewalls likely received the fix, "although mistakes do happen," VulnCheck researcher Jacob Baines wrote.
"That still leaves more than 4,000 firewalls (or about 6 percent of internet-facing Sophos Firewalls) running versions that didn't receive a hotfix and are therefore vulnerable," he said.
Customers seeking info on the situation from the security slinger might find they are getting a little less support than usual as UK-headquartered Sophos is reportedly cutting headcount by 10 percent. That translates to 450 people axed globally.
The cuts are across the board as part of a move towards managed detection and response security services, a spokesperson said.
"Sophos is taking these steps for two main reasons: first, to ensure that we achieve the optimal balance of growth and profitability to support Sophos' long-term success, which is particularly important in the midst of a challenging and uncertain macro environment; and second, to allocate our investments across the company to support our strategic imperative to be a market leader in delivering cybersecurity as a service."
Sophos was bought by American private equity biz Thoma Bravo in a March 2020 deal that valued the concern at $3.9 billion.
As of late last week, no public proof-of-concept exploits exist for CVE-2022-3236, according to Baines. But this shouldn't provide too much comfort for anyone running unpatched versions. As the bug hunter noted: "it's only a matter of time before something is made public."
The security shop also published a couple of log files with indicators of exploitation attempts, which are worth checking out to help determine if your firewall has been compromised. With both, the presence of the "_discriminator" field in the login request "is sufficient to detect an exploit attempt," according to the threat hunters.
Additionally — here's the silver lining — there are limits to mass exploitation thanks to a CAPTCHA required by default to gain access. An attacker can only reach the buggy code after successfully completing the I-am-a-human test.
This is very good news for the 4,000-plus boxes running vulnerable Sophos code.
"While not impossible, programmatically solving CAPTCHAs is a high hurdle for most attackers," Baines said. "Most internet-facing Sophos Firewalls appear to have the login captcha enabled, which means, even at the most opportune times, this vulnerability was unlikely to have been successfully exploited at scale." ®
Source: The register