Analysis
On 23rd September Sophos published an article regarding its actively exploited critical vulnerability in a wild. It was reported that one of the undisclosed customers of Sophos faced exploitation of code injection vulnerability in the user portal and web admin of Sophos firewall.
With the successful exploitation of the vulnerability, the malicious actor can execute remote code and can gain further access to the system. After the discovery of this vulnerability, Sophos issued a temporary fix advisory for this vulnerability and later released a patch.
The vulnerability was classified as CVE-2022-3236 in Common Vulnerability and exposures vulnerability database, which has a severity of “Critical” and a vulnerability score of 9.8 as per CVSS v3.1(Common vulnerability scoring system).
CVSS v3.1: 9.8 (Critical)
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High
Prevention
- Disable Wide area network access to the User Portal and Web admin for the firewall.
- Enable “Allow automatic installation of hotfixes”
- Update to the latest versions v18.5 MR5 (18.5.5), v19.0 MR2 (19.0.2), and v19.5 GA.
References
NIST-National Vulnerability Database
Sophos