Critical Sophos Security Bug Allows RCE on Firewalls

Cybersecurity stalwart Sophos has plugged a critical vulnerability in its firewall product, which could allow remote code-execution.

The flaw, tracked as CVE-2022-1040, is specifically an authentication-bypass vulnerability in the User Portal and Webadmin of the Sophos Firewall. It affects version 18.5 MR3 (18.5.3) and older of the appliance.

An exploit would give attackers control over the device, and enable them to disable the firewall, add new users, or use it as a jumping-off point for burrowing deeper into a company’s network.

Sophos did not provide technical details or a CVSS score for the bug, but listed it as “critical.”

The company pushed out a hotfix, but those without automatic updates enabled will need to manually update their appliances. There’s also a workaround, according to the company’s security advisory:

“Customers can protect themselves from external attackers by ensuring their User Portal and Webadmin are not exposed to WAN,” according to Sophos. “Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central for remote access and management.”

An unnamed independent researcher was credited with reporting the flaw via Sophos’ bug bounty.

The vulnerability is the third bug for the vendor this month. Earlier in March, two others came to light, tracked as CVE-2022-0386 (a post-authentication SQL-injection issue) and CVE-2022-0652 (an insecure access permissions bug). They affected the Sophos UTM unified threat-management appliance.

Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with ourFREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.