Sophos Firewall Fixes Critical Remote Code Execution Vulnerability

December 20, 2024

Sophos has patched three vulnerabilities in its Firewall product that could potentially allow unauthorized remote threat actors to carry out SQL injection, execute remote code, and gain privileged SSH access to devices. The vulnerabilities are present in Sophos Firewall version 21.0 GA (21.0.0) and older versions. The company has rolled out hotfixes and permanent solutions through new firmware updates.

The three flaws are CVE-2024-12727, CVE-2024-12728, and CVE-2024-12729. According to the company, CVE-2024-12727 affects approximately 0.05% of firewall devices that have the specific configuration required for exploitation. Meanwhile, CVE-2024-12728 impacts around 0.5% of devices.

Hotfixes for these vulnerabilities were released on different dates for various versions. For CVE-2024-12727, hotfixes have been available since December 17 for versions 21 GA, v20 GA, v20 MR1, v20 MR2, v20 MR3, v19.5 MR3, v19.5 MR4, v19.0 MR2. A permanent fix was introduced in v21 MR1 and newer versions. Hotfixes for CVE-2024-12728 were released between November 26 and 27 for v21 GA, v20 GA, v20 MR1, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, and v20 MR2. Permanent fixes are included in v20 MR3, v21 MR1 and newer versions. Hotfixes for CVE-2024-12729 were released between December 4 and 10 for versions v21 GA, v20 GA, v20 MR1, v20 MR2, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v19.0 MR3, and v20 MR3. A permanent fix is available in v21 MR1 and later versions.

Sophos has also suggested workarounds for mitigating the risks associated with CVE-2024-12728 and CVE-2024-12729 for those who are unable to apply the hotfix or upgrade. To mitigate CVE-2024-12728, it is advised to limit SSH access only to the dedicated HA link that is physically separated from other network traffic and reconfigure the HA setup using a sufficiently long and random custom passphrase. For remote management and access, disabling SSH over the WAN interface and using Sophos Central or a VPN is generally recommended. To mitigate CVE-2024-12729, it is suggested that administrators ensure the User Portal and Webadmin interfaces are not exposed to the WAN.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.