Thousands of Sophos servers are vulnerable to this dangerous exploit

(Image credit: Future)

Cybersecurity researchers from VulnCheck have claimed thousands of internet-exposed servers running Sophos’ Firewall solution are vulnerable to a high-severity flaw that allows threat actors to remotely execute malware. 

The company recently published a report in which it says that after running a quick Shodan scan, found more than 4,400 internet-exposed servers with Sophos Firewall vulnerable to CVE-2022-3236.

With a severity rating of 9.8, the flaw is a code injection vulnerability that allows threat actors to use the User Portal and Webadmin to deliver and run malware. The vulnerability was publicized in September 2022 when a hotfix was released. Soon after, Sophos released a fully-fledged patch and urged its users to apply it immediately.

TechRadar Pro needs you! We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.

D. Athow, Managing Editor

Working exploit

Now, some four months later, there are still more than 4,000 endpoints that haven’t applied the patch, making up some 6% of all Sophos firewall instances, the researchers said.

“More than 99% of Internet-facing Sophos Firewalls haven't upgraded to versions containing the official fix for CVE-2022-3236,” the announcement reads. “But around 93% are running versions that are eligible for a hotfix, and the default behavior for the firewall is to automatically download and apply hotfixes (unless disabled by an administrator). It’s likely that almost all servers eligible for a hotfix received one, although mistakes do happen. That still leaves more than 4,000 firewalls (or about 6% of Internet-facing Sophos Firewalls) running versions that didn’t receive a hotfix and are therefore vulnerable.”

None of this is purely theoretical, either. The researchers said they built a working exploit warning that - if they could do it, so can the hackers. In fact, some might have done it already, which is why VulnCheck shared two indicators of compromise - log files found in /logs/csc.log, and /log/validationError.log. If any of these have the_discriminator field in a login request, chances are, someone tried to exploit the flaw. The log files can’t be used to determine if the attempt was successful or not, though. 

The good news is that during authentication to the web client, the attacker needs to complete a CAPTCHA, making mass attacks highly unlikely. Targeted attacks are still very much a possibility, however. 

“The vulnerable code is only reached after the CAPTCHA is validated. A failed CAPTCHA will result in the exploit failing. While not impossible, programmatically solving CAPTCHAs is a high hurdle for most attackers. Most Internet-facing Sophos Firewalls appear to have the login CAPTCHA enabled, which means, even at the most opportune times, this vulnerability was unlikely to have been successfully exploited at scale,” the researchers concluded. 

Via: ArsTechnica

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.