Thousands of Sophos servers are vulnerable to this dangerous exploit

A patch is available, Sophos says, so patch now

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurity researchers from VulnCheck have claimed thousands of internet-exposed servers running Sophos’Firewallsolution are vulnerable to a high-severity flaw that allows threat actors to remotely execute malware.

The company recently published a report in which it says that after running a quick Shodan scan, found more than 4,400 internet-exposedserverswith Sophos Firewall vulnerable to CVE-2022-3236.

With a severity rating of 9.8, the flaw is a code injection vulnerability that allows threat actors to use the User Portal and Webadmin to deliver and runmalware. The vulnerability was publicized in September 2022 when a hotfix was released. Soon after, Sophos released a fully-fledged patch and urged its users to apply it immediately.

TechRadar Pro needs you!We want to build a better website for our readers, and we need your help! You can do your bit by filling outour surveyand telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

Working exploit

Now, some four months later, there are still more than 4,000 endpoints that haven’t applied the patch, making up some 6% of all Sophos firewall instances, the researchers said.

“More than 99% of Internet-facing Sophos Firewalls haven’t upgraded to versions containing the official fix for CVE-2022-3236,” the announcement reads. “But around 93% are running versions that are eligible for a hotfix, and the default behavior for the firewall is to automatically download and apply hotfixes (unless disabled by an administrator). It’s likely that almost all servers eligible for a hotfix received one, although mistakes do happen. That still leaves more than 4,000 firewalls (or about 6% of Internet-facing Sophos Firewalls) running versions that didn’t receive a hotfix and are therefore vulnerable.”

Sophos Firewall found a serious security issue>Sophos Firewall vulnerability gave hackers the keys to the kingdom>Here are the best endpoint protection services around

None of this is purely theoretical, either. The researchers said they built a working exploit warning that - if they could do it, so can the hackers. In fact, some might have done it already, which is why VulnCheck shared two indicators of compromise - log files found in /logs/csc.log, and /log/validationError.log. If any of these have the_discriminator field in a login request, chances are, someone tried to exploit the flaw. The log files can’t be used to determine if the attempt was successful or not, though.

The good news is that during authentication to the web client, the attacker needs to complete a CAPTCHA, making mass attacks highly unlikely. Targeted attacks are still very much a possibility, however.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“The vulnerable code is only reached after the CAPTCHA is validated. A failed CAPTCHA will result in the exploit failing. While not impossible, programmatically solving CAPTCHAs is a high hurdle for most attackers. Most Internet-facing Sophos Firewalls appear to have the login CAPTCHA enabled, which means, even at the most opportune times, this vulnerability was unlikely to have been successfully exploited at scale,” the researchers concluded.

Via:ArsTechnica

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Windows PCs targeted by new malware hitting a vulnerable driver

Dangerous Android banking malware looks to trick victims with fake money transfers

Best Dragon Age games in 2024 - every series entry ranked