Sophos has issued important hotfixes to address three critical security flaws discovered in its firewall products. These vulnerabilities have the potential to enable remote code execution and allow unauthorized privileged system access under specific conditions. Significantly, two out of the three identified flaws have been rated as Critical in severity. However, there is currently no evidence that these security gaps have been exploited maliciously in the wild. The identified vulnerabilities are listed under the following CVEs: CVE-2024-12727, CVE-2024-12728, and CVE-2024-12729. Their potential impact ranges from remote code execution to compromise through weak credentials.
Detailed Breakdown of Vulnerabilities
Among the identified vulnerabilities, CVE-2024-12727 poses a severe threat with a CVSS score of 9.8. This pre-auth SQL injection vulnerability resides within the email protection feature and becomes critical if a specific configuration of Secure PDF eXchange (SPX) is enabled while the firewall operates in High Availability (HA) mode. This could potentially lead to remote code execution and severe system compromise. Similarly severe, CVE-2024-12728 also holds a CVSS score of 9.8 and stems from the use of a non-random and suggested SSH login passphrase for HA cluster initialization. This weakness remains active even after HA establishment, thus exposing accounts to privileged access risks if SSH is enabled.
On the other hand, CVE-2024-12729, although slightly less critical with a CVSS score of 8.8, presents a significant danger. This post-auth code injection vulnerability is located in the User Portal and allows authenticated users to achieve remote code execution. Separately, the security vendor has reported the extent of the impact, noting that CVE-2024-12727 affects about 0.05% of devices, while CVE-2024-12728 impacts approximately 0.5%. Collectively, all these vulnerabilities are present in Sophos Firewall versions 21.0 GA (21.0.0) and older.
Hotfix Implementation and Recommendations
In response to these vulnerabilities, Sophos has promptly released hotfixes that offer remediation for the flaws across various software versions. For CVE-2024-12727, the affected versions include v21 MR1 and newer, with hotfixes available for versions ranging from v21 GA to v19.0 MR2. CVE-2024-12728 has been remediated in versions v20 MR3, v21 MR1, and newer, along with hotfixes spanning from v21 GA to v19.0 MR2. Meanwhile, CVE-2024-12729 sees remediation in versions v21 MR1 and newer, with hotfixes provided for versions from v21 GA to v19.0 MR3.
To verify that these hotfixes have been successfully applied, users are advised to execute specific commands within the Sophos Firewall console. For CVE-2024-12727, users should launch Device Management > Advanced Shell and run the command “cat /conf/nest_hotfix_status”. The hotfix is confirmed applied if the returned value is 320 or above. For both CVE-2024-12728 and CVE-2024-12729, users are required to access the Device Console and run “system diagnostic show version-info”. Here, the hotfix application is confirmed if the value is HF120424.1 or later.
Sophos urges users to apply these hotfixes promptly to mitigate potential risks and ensure the security of their systems. It is crucial for users to stay updated with the latest security patches and follow best practices for maintaining robust cybersecurity defenses.