{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-065.pdf"
    },
    "title": "RCE Vulnerability in Sophos Firewall",
    "serial_number": "2022-065",
    "publish_date": "26-09-2022 10:20:00",
    "description": "On September 23, 2022, Sophos warned about a critical code injection security vulnerability in the company\u2019s Firewall product that is being exploited in the wild. They observed the vulnerability being used to target a small set of specific organisations, primarily in the South Asia region.",
    "url_title": "2022-065",
    "content_markdown": "---\ntitle: 'RCE Vulnerability in Sophos Firewall'\nversion: '1.0'\nnumber: '2022-065'\noriginal_date: 'September 23, 2022'\ndate: 'September 26, 2022'\n---\n\n_History:_\n\n* _26/09/2022 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn September 23, 2022, **Sophos** warned about a critical code injection security vulnerability in the company\u2019s Firewall product that is being exploited in the wild. They observed the vulnerability being used to target a small set of specific organisations, primarily in the South Asia region [1].\n\n# Technical Details\n\nTracked as **CVE-2022-3236**, the flaw was found in the User Portal and Webadmin of Sophos Firewall, allowing attackers to execute code (RCE) [2, 3].\n\n# Affected Products\n\nSophos Firewall v19.0 MR1 (19.0.1) and older.\n\n# Recommendations\n\nThe company says it has released hotfixes for **Sophos Firewall** versions affected by this security bug (v19.0 MR1 (19.0.1) and older) that will roll out automatically to all instances since automatic updates are enabled by default.\n\n_No action is required for **Sophos Firewall** customers with the **\"Allow automatic installation of hotfixes\"** feature enabled on remediated versions. Enabled is the default setting_ [1].\n\nIn order to receive the CVE-2022-3236 patch an upgrade to a supported version of Sophos Firewall must be done.\n\nSophos also provided detailed info on enabling the automatic hotfix installation feature^[<https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/BackupAndFirmware/Firmware/index.html#updating-ha-devices>] and checking if the hotfix was successfully installed^[<https://support.sophos.com/support/s/article/KB-000043853>].\n\n## Workarounds\n\nSophos provided a workaround for customers who cannot immediately patch the vulnerable software. This will require them to ensure that the firewall's **User Portal** and **Webadmin** are not exposed to WAN access.\n\n\"_Disable WAN access to the **User Portal** and **Webadmin** by following device access best practices^[<https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Administration/DeviceAccess/index.html>] and instead use VPN and/or Sophos Central (preferred) for remote access and management_,\" the company added [2].\n\n# References\n\n[1] <https://www.bleepingcomputer.com/news/security/sophos-warns-of-new-firewall-rce-bug-exploited-in-attacks/>\n\n[2] <https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce>\n\n[2] <https://cve.report/CVE-2022-3236>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>26/09/2022 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On September 23, 2022, <strong>Sophos</strong> warned about a critical code injection security vulnerability in the company\u2019s Firewall product that is being exploited in the wild. They observed the vulnerability being used to target a small set of specific organisations, primarily in the South Asia region [1].</p><h2 id=\"technical-details\">Technical Details</h2><p>Tracked as <strong>CVE-2022-3236</strong>, the flaw was found in the User Portal and Webadmin of Sophos Firewall, allowing attackers to execute code (RCE) [2, 3].</p><h2 id=\"affected-products\">Affected Products</h2><p>Sophos Firewall v19.0 MR1 (19.0.1) and older.</p><h2 id=\"recommendations\">Recommendations</h2><p>The company says it has released hotfixes for <strong>Sophos Firewall</strong> versions affected by this security bug (v19.0 MR1 (19.0.1) and older) that will roll out automatically to all instances since automatic updates are enabled by default.</p><p><em>No action is required for <strong>Sophos Firewall</strong> customers with the <strong>\"Allow automatic installation of hotfixes\"</strong> feature enabled on remediated versions. Enabled is the default setting</em> [1].</p><p>In order to receive the CVE-2022-3236 patch an upgrade to a supported version of Sophos Firewall must be done.</p><p>Sophos also provided detailed info on enabling the automatic hotfix installation feature^[<a rel=\"noopener\" target=\"_blank\" href=\"https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/BackupAndFirmware/Firmware/index.html#updating-ha-devices\">https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/BackupAndFirmware/Firmware/index.html#updating-ha-devices</a>] and checking if the hotfix was successfully installed^[<a rel=\"noopener\" target=\"_blank\" href=\"https://support.sophos.com/support/s/article/KB-000043853\">https://support.sophos.com/support/s/article/KB-000043853</a>].</p><h3 id=\"workarounds\">Workarounds</h3><p>Sophos provided a workaround for customers who cannot immediately patch the vulnerable software. This will require them to ensure that the firewall's <strong>User Portal</strong> and <strong>Webadmin</strong> are not exposed to WAN access.</p><p>\"<em>Disable WAN access to the <strong>User Portal</strong> and <strong>Webadmin</strong> by following device access best practices^[<a rel=\"noopener\" target=\"_blank\" href=\"https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Administration/DeviceAccess/index.html\">https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Administration/DeviceAccess/index.html</a>] and instead use VPN and/or Sophos Central (preferred) for remote access and management</em>,\" the company added [2].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/sophos-warns-of-new-firewall-rce-bug-exploited-in-attacks/\">https://www.bleepingcomputer.com/news/security/sophos-warns-of-new-firewall-rce-bug-exploited-in-attacks/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce\">https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://cve.report/CVE-2022-3236\">https://cve.report/CVE-2022-3236</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}