Sophos was forced to backport a security update for CVE-2022-3236 for end-of-life firewall firmware versions after discovering hackers actively exploiting the flaw in attacks.
The flaw is a code injection problem in the User Portal and Webadmin of Sophos Firewall, allowing remote code execution.
Sophos fixed the security issue in September 2022 when it warned about active exploitation in the wild, impacting versions 19.0.1 and older.
Although the hotfix was automatically rolled out to appliances set to auto-accept security updates by the vendor, by January 2023, over 4,000 internet-exposed appliances remained vulnerable to attacks.
Many of these appliances were older devices running end-of-life firmware that had to apply mitigations or manually apply the hotfix, and hackers have taken advantage of this gap.
If the auto-update option for hotfixes has been disabled, it is recommended to enable it and then follow this guide to verify that the hotfix has been applied.
V18.5 GA, MR1, MR1-1, MR2, MR3, and MR4. v17.0 MR10. If you are using an even older version of the Sophos Firewall, you are advised to upgrade to one of the releases listed above.
For cases where updating is impossible, the recommended workaround is to restrict WAN access to the User Portal and Webadmin by following these instructions and instead use VPN or Sophos Central for remote access and management.
December Android updates fix critical zero-click RCE flaw.
HelloKitty ransomware now exploiting Apache ActiveMQ flaw in attacks.
F5 fixes BIG-IP auth bypass allowing remote code execution attacks.
Over 1,450 pfSense servers exposed to RCE attacks via bug chain.
WordPress fixes POP chain exposing websites to RCE attacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 12 Dec 2023 17:30:13 +0000