Cybersecurity researchers from VulnCheck have claimed thousands of servers exposed to the internet are running Sophos’ Firewall (opens in a new tab) solution vulnerable to a high severity vulnerability that allows threat actors to execute malware remotely.
The company recently published a report which said that after a quick scan of Shodan, more than 4,400 internet exposures were found. lucky owner with Sophos Firewall vulnerable to CVE-2022-3236.
With a severity rating of 9.8, this vulnerability is a code injection vulnerability that allows threat actors to use the User Portal and Webmaster to deliver and run malware. The vulnerability became public in September 2022 when a hotfix was released. Soon after, Sophos released a complete patch and urged users to apply it immediately.
mining work
Currently, about 4 months later, there are still more than 4,000 endpoints that have not yet applied the patch, accounting for about 6% of all Sophos firewall cases, the researchers said.
“Over 99% of the Internet-connected Sophos Firewall has not yet upgraded to a version containing the official fix for CVE-2022-3236,” the announcement read. “But about 93% are running versions eligible for the fix, and the default behavior of the firewall is to automatically download and apply the fixes (unless disabled by the administrator). It is likely that almost all servers eligible for the hot fix will receive a fix, although the error still occurs. That still leaves more than 4,000 firewalls (or about 6% of Sophos Firewalls connected to the Internet) running versions that do not receive hotfixes and are therefore vulnerable.”
Neither of these are purely theoretical, either. The researchers say they’ve built a working exploit alert that – if they can do it, so can hackers. In fact, some may already do, which is why VulnCheck shares two indicators of a breach – the log files found in /logs/csc.log and /log/validationError. log. If any of these have the_discriminator field in the login request, it’s very likely that someone tried to exploit the vulnerability. However, the log files cannot be used to determine if the attempt was successful.
The good news is that during authentication with the web client, an attacker needs to complete a CAPTCHA, making mass attacks very unlikely. However, targeted attacks are still very likely.
“Vulnerable code is achieved only after the CAPTCHA is validated. A failed CAPTCHA will result in a failed exploit. Although not impossible, programmatically solving CAPTCHAs is a major obstacle for most attackers. Most Sophos Firewalls that connect to the Internet appear to have login CAPTCHAs enabled, which means that, even at the most opportune times, this vulnerability is unlikely to be successfully exploited on a large scale, ‘ the researchers concluded.
Via: ArsTechnica (opens in a new tab)
