More Than 4,400 Sophos Firewall Servers Remain Vulnerable To Critical Exploits (arstechnica.com) 9
More than 4,400 Internet-exposed servers are running versions of the Sophos Firewall that's vulnerable to a critical exploit that allows hackers to execute malicious code, a researcher has warned. From a report: CVE-2022-3236 is a code-injection vulnerability allowing remote code execution in the User Portal and Webadmin of Sophos Firewalls. It carries a severity rating of 9.8 out of 10. When Sophos disclosed the vulnerability last September, the company warned it had been exploited in the wild as a zero-day. The security company urged customers to install a hotfix and, later on, a full-blown patch to prevent infection.
According to recently published research, more than 4,400 servers running the Sophos firewall remain vulnerable. That accounts for about 6 percent of all Sophos firewalls, security firm VulnCheck said, citing figures from a search on Shodan. "More than 99% of Internet-facing Sophos Firewalls haven't upgraded to versions containing the official fix for CVE-2022-3236," VulnCheck researcher Jacob Baines wrote. "But around 93% are running versions that are eligible for a hotfix, and the default behavior for the firewall is to automatically download and apply hotfixes (unless disabled by an administrator). It's likely that almost all servers eligible for a hotfix received one, although mistakes do happen. That still leaves more than 4,000 firewalls (or about 6% of Internet-facing Sophos Firewalls) running versions that didn't receive a hotfix and are therefore vulnerable."
According to recently published research, more than 4,400 servers running the Sophos firewall remain vulnerable. That accounts for about 6 percent of all Sophos firewalls, security firm VulnCheck said, citing figures from a search on Shodan. "More than 99% of Internet-facing Sophos Firewalls haven't upgraded to versions containing the official fix for CVE-2022-3236," VulnCheck researcher Jacob Baines wrote. "But around 93% are running versions that are eligible for a hotfix, and the default behavior for the firewall is to automatically download and apply hotfixes (unless disabled by an administrator). It's likely that almost all servers eligible for a hotfix received one, although mistakes do happen. That still leaves more than 4,000 firewalls (or about 6% of Internet-facing Sophos Firewalls) running versions that didn't receive a hotfix and are therefore vulnerable."
93% eligible? (Score:3, Insightful)
Why are only 93% of the devices eligible for the 9.8 severity fix? Are they just too old? That really shouldn't matter for a 9.8 on devices that are open on the internet by definition.
Also who in their right mind leaves their mission-critical firewall configured to automatically install updates?
Re:93% eligible? (Score:5, Informative)
Why are only 93% of the devices eligible for the 9.8 severity fix? Are they just too old?
The article is incredibly poorly written, and clickbait as well. But... it's all in definitions.
Sophos XG has - like most others - major releases and minor releases.
A baked-in fix is included in 18.5.5, 19.0.2 and 19.5 GA.
Older hardware is stuck at the 17.0 and 17.5 software version, due to increased memory required by 18.0 and newer. 17.0 went EOL August 2020 and 17.5 went EOL November 30, 2021.
But... hotfixes exist that will apply automatically by default for anyone running the last two releases of 19.0, the last six releases of 18.5, the last four releases of 18.0, the last six releases of 17.5, and the last release of 17.0
The point is that some of the oldest devices can't upgrade to the 18.5 family to get the baked-in fix. But they absolutely should be applying a hotfix automatically... which Sophos released a year (or two) after the EOL of the given OS version.
That really shouldn't matter for a 9.8 on devices that are open on the internet by definition.
It turns out it doesn't matter. Sophos went out of their way to provide a hotfix even to units that are EOL.
Also who in their right mind leaves their mission-critical firewall configured to automatically install updates?
Again, definitions. Sophos XG units don't automatically apply OS updates. If you have them at 19.0.1, they'll stay at 19.0.1 forever unless you update them. But a hotfix is a special kind of update that Sophos can push to units to address this kind of urgent, game-stopping RCE. Typically I'd say we see a hotfix get shoved out every year or two. They're rare. They don't modify major OS features, just close urgent security holes. And you can - if you're unwise - disable them.
So in summary, this is all a nothingburger. The 7% of devices that can't get the in-the-OS-image update are all EOL and even they should have automatically applied a hotfix that persists unless you reinstall the OS from scratch (and then it'd get re-pushed shortly after). The only firewalls that won't be protected are either: a} run by people who shut off hotfixes or b} are running firmwares that are multiple years old because the admin hasn't even remotely bothered to keep them up-to-date.
Re: (Score:1)
Good info, thanks.
Brick them. (Score:4, Insightful)
If you aren't responsible enough to keep the internet safe from your device then your device shouldn't be on the internet.
More idiots that dont need to be online (Score:1)
Re: More idiots that dont need to be online (Score:1)
Looks like you've been online since before you were 18 then.
Great. More crapware. (Score:2)
Password-managers, firewalls, etc. It seems the same crappy, shoddy practices used everywhere in the software world are used by makers of "security" software as well. Incompetence everywhere. That cannot go on.