DESCRIPTION:
An authentication bypass vulnerability (CVE-2022-1040) was discovered in the User Portal and Webadmin of Sophos Firewall, allowing attackers bypass system control and remote code execution by administrative permissions.
AFFECTED RELEASES:
Sophos Firewall prior to 18.5 MR3
SOLUTION:
1. Users and system administrators of affected products are advised to apply the security updates immediately from the following URL:
https://www.sophos.com/en-us/security-advisories/sophos-sa-20220325-sfos-rce
2. If keep using old version, login to control panel and enable “Allow automatic installation of hotfixes”. Once automatic hotfix installation is enabled, Sophos Firewall checks for hotfixes every thirty minutes and after any restart.
3. Disable WAN access to the User Portal and Webadmin, instead using VPN and/or Sophos Central for remote access and management to ensure that User Portal and Webadmin are not exposed to WAN.
REFERENCE:
1. https://www.sophos.com/en-us/security-advisories/sophos-sa-20220325-sfos-rce
2. https://nvd.nist.gov/vuln/detail/CVE-2022-1040
3. https://www.bleepingcomputer.com/news/security/critical-sophos-firewall-vulnerability-allows-remote-code-execution/