Sophos Firewall Fixes Critical Remote Code Execution Vulnerability
December 20, 2024
Sophos has patched three vulnerabilities in its Firewall product that could potentially allow unauthorized remote threat actors to carry out SQL injection, execute remote code, and gain privileged SSH access to devices. The vulnerabilities are present in Sophos Firewall version 21.0 GA (21.0.0) and older versions. The company has rolled out hotfixes and permanent solutions through new firmware updates.
The three flaws are CVE-2024-12727, CVE-2024-12728, and CVE-2024-12729. According to the company, CVE-2024-12727 affects approximately 0.05% of firewall devices that have the specific configuration required for exploitation. Meanwhile, CVE-2024-12728 impacts around 0.5% of devices.
Hotfixes for these vulnerabilities were released on different dates for various versions. For CVE-2024-12727, hotfixes have been available since December 17 for versions 21 GA, v20 GA, v20 MR1, v20 MR2, v20 MR3, v19.5 MR3, v19.5 MR4, v19.0 MR2. A permanent fix was introduced in v21 MR1 and newer versions. Hotfixes for CVE-2024-12728 were released between November 26 and 27 for v21 GA, v20 GA, v20 MR1, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, and v20 MR2. Permanent fixes are included in v20 MR3, v21 MR1 and newer versions. Hotfixes for CVE-2024-12729 were released between December 4 and 10 for versions v21 GA, v20 GA, v20 MR1, v20 MR2, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v19.0 MR3, and v20 MR3. A permanent fix is available in v21 MR1 and later versions.
Sophos has also suggested workarounds for mitigating the risks associated with CVE-2024-12728 and CVE-2024-12729 for those who are unable to apply the hotfix or upgrade. To mitigate CVE-2024-12728, it is advised to limit SSH access only to the dedicated HA link that is physically separated from other network traffic and reconfigure the HA setup using a sufficiently long and random custom passphrase. For remote management and access, disabling SSH over the WAN interface and using Sophos Central or a VPN is generally recommended. To mitigate CVE-2024-12729, it is suggested that administrators ensure the User Portal and Webadmin interfaces are not exposed to the WAN.
Latest News
- Adobe Issues Emergency Updates for Critical ColdFusion Flaw
- Apache Addresses Critical Vulnerability in Tomcat Web Server
- Fortinet Fixes Critical RCE Vulnerability in Wireless LAN Manager
- Critical Vulnerability in FortiWLM Grants Hackers Administrative Control
- BeyondTrust Suffers Cyberattack: Remote Support SaaS Instances Breached
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.