Sophos has unveiled urgent patches to rectify a triad of vulnerabilities in its firewall solutions, which, under specific configurations, could permit remote code execution and confer elevated system privileges.
Among these, two are classified as Critical, though no evidence has yet surfaced to suggest active exploitation in the wild. The identified vulnerabilities include:
- CVE-2024-12727 (CVSS score: 9.8): A pre-auth SQL injection flaw within the email protection module, potentially leading to remote code execution when the Secure PDF eXchange (SPX) feature is activated alongside High Availability (HA) mode.
- CVE-2024-12728 (CVSS score: 9.8): A security lapse involving predictable SSH passphrases during HA cluster initialization, which, if left unchanged post-setup, grants unauthorized access to a privileged account if SSH remains enabled.
- CVE-2024-12729 (CVSS score: 8.8): A post-authentication code injection flaw in the User Portal, empowering authenticated users to execute arbitrary code remotely.
Sophos disclosed that CVE-2024-12727 impacts a mere 0.05% of devices, whereas CVE-2024-12728 affects 0.5%. All three vulnerabilities are prevalent in Sophos Firewall versions 21.0 GA (21.0.0) and earlier. Resolutions have been applied in the following updates:
- CVE-2024-12727: Mitigated in versions 21 MR1 and subsequent releases (Hotfixes also available for earlier versions: 21 GA, 20 GA, 20 MR1, 20 MR2, 20 MR3, 19.5 MR3, 19.5 MR4, 19.0 MR2).
- CVE-2024-12728: Addressed in 20 MR3, 21 MR1, and later versions (Hotfixes for 21 GA, 20 GA, 20 MR1, 19.5 GA, and other minor releases).
- CVE-2024-12729: Fixed in 21 MR1 and beyond (Hotfixes for all major earlier versions).
Steps to Confirm Hotfix Installation
Users are encouraged to verify the application of hotfixes by executing the following commands from the Sophos Firewall console:
- CVE-2024-12727: Use the command
cat /conf/nest_hotfix_status
via Advanced Shell. A value of 320 or higher indicates successful application. - CVE-2024-12728 and CVE-2024-12729: Execute
system diagnostic show version-info
in the Device Console. The presence of version HF120424.1 or later confirms the fix.
Interim Safeguards for Vulnerable Systems
Until the patches are applied, Sophos recommends the following precautionary measures:
- Limit SSH access exclusively to a physically separate, dedicated HA connection.
- Reconfigure HA with a robust and randomly generated custom passphrase.
- Disable WAN-based SSH access and ensure User Portal and Webadmin interfaces are not exposed to WAN.
This development follows the unsealing of U.S. charges against Guan Tianfeng, a Chinese national accused of exploiting CVE-2020-12271 (CVSS score: 9.8) to compromise approximately 81,000 Sophos firewalls globally.
Swift implementation of these fixes is imperative to thwart potential exploitation and safeguard critical systems.