VulnCheck’s Cybersecurity Researchers Claim Thousands of Internet-Exposed Servers Running Sophos Firewall (opens in a new tab) The solution is vulnerable to a high-severity flaw that allows threat actors to execute malware remotely.
The company recently published a report in which it said that more than 4,400 Sophos Firewall servers exposed to the Internet were found to be vulnerable to CVE-2022-3236 after running a quick Shodan scan.
The flaw, which has a severity rating of 9.8, is a code injection vulnerability that could allow threat actors to use the User Portal and Webadmin to deliver and run malware. The vulnerability will be announced when a patch is released in September 2022. Soon after, Sophos released a mature patch and urged its users to apply it immediately.
work use
Now, about four months later, more than 4,000 endpoints remain unpatched, or about 6 percent of all Sophos firewall instances, the researchers said.
“More than 99 percent of Sophos Internet-facing firewalls have not been upgraded to versions that include the official fix for CVE-2022-3236,” reads the advisory. “But about 93% of people are running the patch-eligible version, and the firewall’s default behavior is to automatically download and apply the patch (unless disabled by an administrator). It is likely that nearly all patch-eligible servers have received the patch , although bugs do happen. There are still more than 4,000 firewalls (approximately 6% of Internet-facing Sophos firewalls) running versions that have not received patches and are therefore vulnerable.”
None of this is pure theory. Researchers say they built an effective exploit warning — and if they can do it, hackers can too. In fact, some people may have done so, which is why VulnCheck shares two indicators of compromise – the log files found in /logs/csc.log and /log/validationError.log. If any of these have the_discriminator field in the login request, there is a good chance someone is trying to exploit the vulnerability. However, the log files cannot be used to determine whether the attempt was successful.
The good news is that during the authentication of the web client, the attacker needs to complete a captcha, which makes a large-scale attack less likely. However, targeted attacks are still very possible.
“Access to the vulnerable code is only possible after verifying the captcha. A failing CAPTCHA will cause the exploit to fail. While not impossible, solving the CAPTCHA programmatically is a high hurdle for most attackers. Big Most Internet-facing Sophos firewalls appear to have login captchas enabled, which means that, even at the best of times, this vulnerability is unlikely to be successfully exploited on a large scale,” the researchers concluded.
pass: Ars Technica (opens in a new tab)