A British-based security provider, Sophos, has addressed a critical vulnerability in Sophos Firewall product after security researchers responsibly disclosed it through Sophos bug bounty program.
All Sophos Firewall prior to versions 18.5 MR3 (18.5.3) are affected by the security flaw, which users/administrators should already get the hotfixes automatically by default.
A. Nature of the Vulnerability
An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.
B. Actions to be Taken
CERT-PH recommends the following actions be taken:
- As per Sophos, the hotfix will be rolled out automatically for Sophos Firewall customers with the “Allow automatic installation of hotfixes” feature enabled. This setting is enabled by default.
- . To verify if it was applied properly, kindly follow the instructions provided by Sophos.
- Note: Users/ Administrators who may no longer be able to apply the hotfix may follow the workaround steps to secure their network and system.
- Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central for remote access and management.
- Proactively monitor and secure identified systems and devices for any suspicious/malicious activities.
- In addition, providing and capacitating employees with cybersecurity knowledge and information to minimize the attack surface.
- For additional information, kindly refer to the official Advisory (https://www.sophos.com/en-us/security-advisories/sophos-sa-20220325-sfos-rce)