Sophos released patches for three critical security vulnerabilities in their widely-used network security tool, Sophos Firewall that posed significant risks, including remote code execution and privilege escalation.
CVE-2024-12727: Pre-Authentication SQL Injection
This vulnerability with a CVSS score of 9.8 involves the email protection feature of Sophos Firewall. If a specific configuration of Secure PDF eXchange (SPX) was enabled and the firewall was operating in High Availability (HA) mode, an attacker could exploit this vulnerability to access the reporting database. This could lead to remote code execution, allowing the attacker to take control of the affected system.
CVE-2024-12728: SSH Login Passphrase Reuse
This vulnerability with a CVSS score of 9.8 stemmed from the reuse of a non-random SSH login passphrase during the initialization of an HA cluster. If SSH was enabled, this vulnerability could expose a privileged system account, potentially giving attackers elevated access to the system.
CVE-2024-12729: Post-Authentication Code Injection
This vulnerability with a CVSS score of 8.8 is a post-authentication bug that affected the User Portal. Authenticated users could exploit this flaw to inject and execute arbitrary code, potentially compromising the security of the system and allowing further malicious activities.
Resolution and Recommendations
Sophos has released hotfixes to address these vulnerabilities. Users are strongly advised to update their Sophos Firewall devices to the latest versions to protect against these security risks. Ensuring that the firewall is up-to-date is crucial for maintaining the integrity and security of the network.
