Thousands of Sophos servers are vulnerable to this dangerous exploit

Cybersecurity researchers from VulnCheck have claimed thousands of internet-exposed servers running Sophos’ Firewall solution are vulnerable to a high-severity flaw that allows threat actors to remotely execute malware. 

The company recently published a report in which it says that after running a quick Shodan scan, found more than 4,400 internet-exposed servers with Sophos Firewall vulnerable to CVE-2022-3236.

With a severity rating of 9.8, the flaw is a code injection vulnerability that allows threat actors to use the User Portal and Webadmin to deliver and run malware. The vulnerability was publicized in September 2022 when a hotfix was released. Soon after, Sophos released a fully-fledged patch and urged its users to apply it immediately.

Working exploit

Now, some four months later, there are still more than 4,000 endpoints that haven’t applied the patch, making up some 6% of all Sophos firewall instances, the researchers said.

“More than 99% of Internet-facing Sophos Firewalls haven’t upgraded to versions containing the official fix for CVE-2022-3236,” the announcement reads. “But around 93% are running versions that are eligible for a hotfix, and the default behavior for the firewall is to automatically download and apply hotfixes (unless disabled by an administrator). It’s likely that almost all servers eligible for a hotfix received one, although mistakes do happen. That still leaves more than 4,000 firewalls (or about 6% of Internet-facing Sophos Firewalls) running versions that didn’t receive a hotfix and are therefore vulnerable.”

None of this is purely theoretical, either. The researchers said they built a working exploit warning that – if they could do it, so can the hackers. In fact, some might have done it already, which is why VulnCheck shared two indicators of compromise – log files found in /logs/csc.log, and /log/validationError.log. If any of these have the_discriminator field in a login request, chances are, someone tried to exploit the flaw. The log files can’t be used to determine if the attempt was successful or not, though. 

The good news is that during authentication to the web client, the attacker needs to complete a CAPTCHA, making mass attacks highly unlikely. Targeted attacks are still very much a possibility, however. 

“The vulnerable code is only reached after the CAPTCHA is validated. A failed CAPTCHA will result in the exploit failing. While not impossible, programmatically solving CAPTCHAs is a high hurdle for most attackers. Most Internet-facing Sophos Firewalls appear to have the login CAPTCHA enabled, which means, even at the most opportune times, this vulnerability was unlikely to have been successfully exploited at scale,” the researchers concluded. 

Via: ArsTechnica

Go to Source