A critical zero-day vulnerability (CVE-2022-1040) which was detected in March, 2022 in Sophos Firewall version 18.5.3 MR3 (18.5.3) and older is identified to have been exploited in the south asia region by some attacker group as per news reports. This authentication bypass vulnerability in the User Portal and Webadmin of the firewall can be exploited by a remote attacker to remotely execute arbitrary code.
In the investigation carried out by the Volexity threat research team on an unnamed organization, it was reported that the attacker first created a backdoor in Sophos Firewall, then a VPN account was created following which a Man in the Middle attack (MITM) was launched on the connections to victim’s websites to steal the session cookies in order to compromise the web server and other servers outside the firewalled network (as shown in the picture below).
Pic src: https://thehackernews.com/2022/06/chinese-hackers-exploited-sophos.html
BtCIRT would like to inform all the constituencies to take this vulnerability seriously, especially those who are the users of Sophos Firewall as the consequences would be damaging as detailed in the Volexity report. Please apply the updates as per recommendations immediately.
Recommended Remediations:
● Apply hotfixes for Sophos vulnerabilities that are available. Turn on automatic hotfixes for future automatic updates of the hotfixes. To verify if the hotfixes are applied to your Sophos Firewall, follow this article.
● Users of older versions of Sophos Firewall are required to upgrade to receive the latest protections and the available fix.
● Tighten Sophos security by disabling WAN access to the user portal and webadmin by following the device access best practices, as provided here.
For further information and assistance please contact BtCIRT at cirt@btcirt.bt
References:
News report on the vulnerability being exploited in south asia
Sophos advisory
Volexity report