WARNING: MULTIPLE VULNERABILITIES WERE PATCHED IN THE SOPHOS FIREWALL. PATCH IMMEDIATELY!

Reference:
Advisory #2024-297

Version:
1.0

Affected software:
Sophos Firewall

Type:
Privilege escalation & Remote Code Execution

CVE/CVSS:
CVE-2024-12727
CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)CVE-2024-12728
CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)CVE-2024-12729
CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Sources

• https://www.sophos.com/en-us/security-advisories/sophos-sa-20241219-sfos-rce

Risks

Sophos has released hotfixes to address three security flaws in Sophos Firewall products that could be exploited to achieve privilege escalation or Remote Code Execution (RCE).

• CVE-2024-12727: A pre-authentication SQL injection vulnerability (CVSS 9.8) that could lead to Remote Code Execution (RCE) in specific configurations.
• CVE-2024-12728: A weak, not random SSH login passphrase vulnerability (CVSS 9.8) that could allow privilege escalation in High Availability (HA) setups.
• CVE-2024-12729: A post-authentication code injection vulnerability (CVSS 8.8) enabling RCE for authenticated users.

The first two vulnerabilities, CVE-2024-12727 & CVE-2024-12728, are classified as Critical, while the last one, CVE-2024-12729, is rated High. There is currently no evidence of these vulnerabilities being exploited in the wild.

Description

These vulnerabilities affect Sophos Firewall v21.0 GA (21.0.0) and older versions.

• CVE-2024-12727 (CVSS 9.8) – Pre-Auth SQL Injection Leading to RCE

A critical pre-authentication SQL injection vulnerability in the email protection feature of Sophos Firewall could allow attackers to access the reporting database and potentially lead to Remote Code Execution (RCE). This vulnerability requires specific configurations, such as having Secure PDF eXchange (SPX) enabled and the firewall operating in High Availability (HA) mode. While it affects a small percentage of devices, it poses a significant risk for those impacted.

• CVE-2024-12728 (CVSS 9.8) – Weak SSH Login Passphrase Resulting in Privilege Escalation

This vulnerability arises from using a suggested, non-random SSH login passphrase during High Availability (HA) cluster initialization. Sophos discovered that the passphrase remained active after the HA setup, potentially exposing a privileged system account if SSH is enabled.

• CVE-2024-12729 (CVSS 8.8) – Post-Auth Code Injection Enabling RCE

A post-authentication code injection vulnerability in the User Portal of Sophos Firewalls. This vulnerability can be exploited by users with valid credentials and can lead to Remote Code Execution (RCE).

Sophos has patched all three vulnerabilities. More information in their advisory: https://www.sophos.com/en-us/security-advisories/sophos-sa-20241219-sfos-rce

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/nl/cert/een-incident-melden.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

• https://socradar.io/sophos-firewall-update-rce-and-privilege-escalation/
• https://cert.europa.eu/publications/security-advisories/2024-120/
• https://thehackernews.com/2024/12/sophos-fixes-3-critical-firewall-flaws.html