Article Details
Scrape Timestamp (UTC): 2023-12-12 17:30:46.240
Original Article Text
Click to Toggle View
Sophos backports RCE fix after attacks on unsupported firewalls. Sophos was forced to backport a security update for CVE-2022-3236 for end-of-life (EOL) firewall firmware versions after discovering hackers actively exploiting the flaw in attacks. The flaw is a code injection problem in the User Portal and Webadmin of Sophos Firewall, allowing remote code execution. Sophos fixed the security issue in September 2022 when it warned about active exploitation in the wild, impacting versions 19.0.1 and older. Although the hotfix was automatically rolled out to appliances set to auto-accept security updates by the vendor, by January 2023, over 4,000 internet-exposed appliances remained vulnerable to attacks. Many of these appliances were older devices running end-of-life firmware that had to apply mitigations or manually apply the hotfix, and hackers have taken advantage of this gap. "In December 2023, we delivered an updated fix after identifying new exploit attempts against this same vulnerability in older, unsupported versions of the Sophos Firewall," reads the updated security bulletin. "We immediately developed a patch for certain EOL firmware versions, which was automatically applied to the 99% of affected organizations that have 'accept hotfix' turned on." "Attackers commonly hunt for EOL devices and firmware from any technology vendor, so we strongly recommend that organizations upgrade their EOL devices and firmware to the latest versions." If the auto-update option for hotfixes has been disabled, it is recommended to enable it and then follow this guide to verify that the hotfix has been applied. Alternatively, manually update to one of the following versions of Sophos Firewall, which address CVE-2022-3236: If you are using an even older version of the Sophos Firewall, you are advised to upgrade to one of the releases listed above. For cases where updating is impossible, the recommended workaround is to restrict WAN access to the User Portal and Webadmin by following these instructions and instead use VPN or Sophos Central for remote access and management.
Daily Brief Summary
Sophos has backported a security update to fix the actively exploited vulnerability CVE-2022-3236 in end-of-life firewall firmware versions.
The remote code execution flaw exists in the User Portal and Webadmin of Sophos Firewall, initially addressed in September 2022 for current versions.
Over 4,000 internet-visible appliances were still vulnerable in January 2023 due to running outdated firmware not automatically receiving updates.
Hackers targeted these unsupported and unpatched devices, prompting Sophos to release a backported patch in December 2023 for certain EOL firmware versions.
Sophos automatically applied the patch to 99% of affected organizations with the "accept hotfix" option enabled.
Organizations with disabled auto-update features are advised to manually apply the hotfix or upgrade to newer firewall versions.
Where upgrades are not possible, limiting WAN access to the User Portal and Webadmin and using VPN or Sophos Central for management is recommended.