Sophos, a global leader in cybersecurity, has disclosed three critical vulnerabilities in its Sophos Firewall product, warning that these flaws could be exploited by remote, unauthenticated threat actors to compromise system security. These vulnerabilities, affecting Sophos Firewall version 21.0 GA (21.0.0) and earlier versions, have prompted the company to issue hotfixes and firmware updates as part of its ongoing effort to secure its products and protect its customers.
The Identified Vulnerabilities
The vulnerabilities have been categorized as follows:
- CVE-2024-12727: SQL Injection Leading to Potential Remote Code Execution (RCE)
- This pre-authentication SQL injection vulnerability is present in the email protection feature of the firewall.
- Exploitation is possible only when Secure PDF Exchange (SPX) is enabled alongside High Availability (HA) mode. An attacker could leverage this configuration to access the reporting database and potentially execute arbitrary code remotely.
- Impact: Approximately 0.05% of Sophos Firewall devices with this specific configuration are affected.
- CVE-2024-12728: Predictable SSH Passphrase Vulnerability
- The HA cluster initialization process generates a non-random SSH passphrase, which remains active after setup completion. If exploited, this could allow attackers unauthorized SSH access, provided the service is enabled on the firewall.
- Impact: This flaw affects an estimated 0.5% of devices, particularly those where the default SSH settings have not been modified.
- CVE-2024-12729: Code Injection in User Portal
- This vulnerability allows authenticated users with valid credentials to execute arbitrary code remotely via a flaw in the User Portal. Such exploitation could result in privilege escalation or further attacks on the device.
- Impact: This vulnerability underscores the importance of access management for privileged systems.
Fixes and Security Updates
Sophos has been quick to respond to these vulnerabilities, issuing automatic hotfixes to affected systems and embedding permanent fixes in newer firmware releases. These updates include:
- Hotfixes: Delivered automatically between late November and December 2024 for all supported versions of Sophos Firewall.
- Permanent Fixes: Incorporated in firmware version 21 MR1 and later releases. Administrators are encouraged to update their systems to the latest firmware to ensure long-term protection.
Recommended Workarounds and Mitigation Strategies
In addition to the updates, Sophos has recommended several best practices for mitigating risks associated with these vulnerabilities:
- For CVE-2024-12728:
- Restrict SSH access strictly to the dedicated HA link, ensuring it is physically segregated from other network traffic.
- Reconfigure the HA cluster setup using a sufficiently long, random passphrase.
- Disable SSH over the WAN interface and rely on Sophos Central or VPN solutions for remote management.
- For CVE-2024-12729:
- Prevent exposure of the User Portal and Webadmin interfaces to WAN traffic. These interfaces should be accessible only from trusted, internal networks.
Cybersecurity Community Implications
These vulnerabilities highlight the ongoing risks posed by misconfigurations and weaknesses in critical network infrastructure. While the number of affected devices may appear small—0.05% and 0.5% of devices for CVE-2024-12727 and CVE-2024-12728, respectively—the potential impact of exploitation is significant. Threat actors could use these flaws to gain unauthorized access to sensitive systems, escalate privileges, and disrupt operations.
Sophos’ quick response in releasing hotfixes and permanent patches demonstrates the importance of proactive vendor action in the face of emerging threats. Organizations using Sophos Firewall are strongly advised to apply the recommended updates and review their configurations to ensure optimal security.
Broader Lessons for Cybersecurity Professionals
This incident is a reminder for cybersecurity teams to adopt a proactive approach to managing vulnerabilities in network devices. Key lessons include:
- Regular Firmware Updates: Staying up-to-date with the latest patches and fixes is critical for minimizing exposure to emerging threats.
- Access Control: Limiting access to sensitive administrative interfaces, like the User Portal and Webadmin, significantly reduces the risk of unauthorized exploitation.
- Configuration Hardening: Default settings and credentials should always be replaced with secure, custom configurations.
Organizations should also maintain robust monitoring practices to detect and respond to potential exploits promptly.
Call to Action for Administrators
Sophos Firewall users should take the following steps immediately:
- Ensure all devices are running the latest firmware version (21 MR1 or newer).
- Validate that the provided hotfixes have been successfully applied.
- Implement the recommended mitigations for SSH access and interface exposure.
For step-by-step guidance, administrators can refer to Sophos’ official knowledge base article KBA-000010084 for further instructions.
Final Thoughts
As cyber threats evolve, vendors and organizations must work together to address vulnerabilities swiftly and effectively. Sophos’ handling of these flaws serves as a case study in vulnerability management, emphasizing the importance of rapid patching, transparent communication, and the implementation of best practices to secure critical systems.
For cybersecurity professionals, these vulnerabilities underscore the need for vigilance, regular audits, and a commitment to adopting industry-leading security measures. In an increasingly interconnected world, proactive defense remains the best strategy for mitigating the risks posed by evolving cyber threats.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.
