Sophos resolved a 0-day vulnerability in Sophos firewall upon security researchers discovered that attackers are exploiting the firewall in the wild. The flaw tracked under the identification number CVE-2022-3236 is a code injection vulnerability in the User Portal and Webadmin components of the Sophos firewall. Attackers abuse this code injection vulnerability to perform remote code execution on the vulnerable versions of Sophos firewall. Since the flaw lice in the outer access layer of the firewall and assigned a CVSS score of 9.8, which is considered critical, it is important to fix the CVE-2022-3236 as soon as possible. Let’s see how to fix CVE-2022-3236, a 0-day RCE vulnerability in Sophos firewall, in this post.
A short note about Sophos Firewall:
Sophos Firewall is a powerful, enterprise-grade security solution that helps protect businesses of all sizes from online threats. It offers advanced features such as application control, intrusion prevention, and web filtering to give businesses the protection they need against today’s sophisticated cyber attacks. Sophos Firewall is available in both hardware and software versions, so businesses can choose the option that best fits their needs.
Summary of CVE-2022-3236:
This is a code injection vulnerability in the User Portal and Webadmin components of the Sophos firewall that could be abused by remote attackers to execute arbitrary code on the vulnerable versions of Sophos firewalls.
The flaw is tracked under the CVE ID CVE-2022-3236 and has been assigned a CVSS score of 9.8 out of 10 on the scale. Let’s see the vulnerability vector in the below table.
|Associated CVE ID
|A RCE Vulnerability in Sophos Firewall
|Associated ZDI ID
|Attack Vector (AV)
|Attack Complexity (AC)
|Privilege Required (PR)
|User Interaction (UI)
Sophos Firewall Versions Affected by CVE-2022-3236
As per the advisory, all the firewalls less than or equal to v19.0 MR1 (19.0.1) are vulnerable to the flaw and require action against the vulnerability to protect from advisories.
Vulnerable Versions: v19.0 MR1 (19.0.1) or older.
How to Fix CVE-2022-3236- A RCE Vulnerability in Sophos Firewall?
Sophos has responded to this 0-day RCE vulnerability by releasing a patch and hotfixes for older versions of the firmware. The vendor released versions v18.5 MR5 (18.5.5), v19.0 MR2 (19.0.2), and v19.5 GA with the fix. We recommend upgrading your firmware to v18.5 MR5 (18.5.5), v19.0 MR2 (19.0.2), and v19.5 GA to fix the CVE-2022-3236 vulnerability permanently.
Sophos has released the hotfix for the older firmware that doesn’t support the upgrade.
- v19.0 GA, MR1, and MR1-1
- v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4
- v18.0 MR3, MR4, MR5, and MR6
- v17.5 MR12, MR13, MR14, MR15, MR16, and MR17
- v17.0 MR10
Note: Please refer to this retirement calendar, version compatibly of firmware version, and prechecks before you begin the upgradation process. Please don’t download from untrusted sources or any third party. We urge you to download the Sophos firewall firmware only from the Sophos Licensing Portal. If you are running the Sophos firewall in HA mode, refer to this KB to upgrade in HA mode.
No action is required for Sophos Firewall on which the “Allow automatic installation of hotfixes” feature is enabled. See how to enable auto installation of hotfixes below. Enabled is the default setting.
- Go to Backup & firmware > Firmware > Hotfix.
- Turn on Allow automatic installation of hotfixes.
- Click Apply.
How Do You Verify HotFix for CVE-2022-3236 is Applied on Your Sophos Firewall?
To verify whether hotfix is applied to your firewall. Run this command on the CLI console. If the hotfix is installed on your firewall, you will see HF092122.1 or a later value in Hotfix Tag, as shown in the below picture.
system diagnostic show version-info
Since this flaw is actively being exploited, it is necessary to fix the flaw as soon as you can, especially if your firewall is placed internet-facing and made accessible from the public network. If you are not in a position to fix the CVE-2022-3236 vulnerability anytime soon. We recommend restricting WAN access to the User Portal and Webadmin of the firewall or configuring the interface behind a VPN firewall so that only concerned people will only have access to the User Portal until the patch or hotfix is applied.
Tips for implementing the firewall with better security:
- Restrict access to Local services on the public network: Local services are management services specific to the internal functioning of Sophos Firewall, such as web admin and CLI consoles and authentication services. You can allow or block access to local services from Administration > Device access. Or, Create a local service ACL exception rule allowing specific source IP addresses to access the console from the WAN zone.
- Change the default access credentials and port: It should be the first step to change the default credentials, that is, admin/admin and default port 8443.
- Use key-based authentication instead of username and password authentication: Configure the public key authentication in Administration > Device access.
- Enable Multi-factor authentication: Configure MFA using hardware or software tokens