CVE-2022-1040: Critical Sophos Firewall RCE Vulnerability

May 18, 2022

Overview of cve-2022-1040

In March 2022, Sophos fixed a critical vulnerability in its Sophos Firewall products. The vulnerability is tracked as CVE-2022-1040 and allows for remote code execution (RCE). CVE-2022-1040 is an authentication bypass vulnerability located in the User Portal and Webadmin areas of Sophos Firewall.

The vulnerability has a CVSS rating of 9.8 and is critical in severity. Although the flaw was patched in March by Sophos, Shadow Server, a resource for internet security reporting, observed an uptick of scans testing for the vulnerability. According to Shadow Server, a proof of concept (POC) was published on May 9, 2022 and is currently being used.

Sophos stated that there is no action required for customers with the “Allow automatic installation of hotfixes” feature enabled because “enabled” is the default setting. However, if this feature is not enabled, organizations need to manually patch. So far, the vulnerability has been used to target organizations in the South Asia region, but any organization who has older versions or end-of-life products may need to update manually.

Sophos further stated that customers who need a workaround for CVE-2022-1040 should secure their User Portal Webadmin interfaces – making sure they are not exposed to WAN. Follow the device access best practices to disable WAN access to the User Portal and Webadmin.

How Avertium is Protecting Our Customers:

Expanding endpoints, cloud security computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium’s offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills.
To identify the source of your breach and the scope that it reached; you’ll want to include Avertium’s DFIR services in your protection plan. We offer DFIR (Digital Forensics and Incident Response) to mitigate damage from a successful breach.

Implement XDR as a prevention method. Our XDR is a combination of monitoring software like LogRhythm, Microsoft Azure Sentinel, or AlienVault, combined with endpoint protection such as SentinelOne. XDR platforms enable cybersecurity through a technology focus by collecting, correlating, and analyzing event data from any source on the network. This includes endpoints, applications, network devices, and user interactions.

Avertium's recommendations

For remediation, please see the following hotfixes published by Sophos:

Hotfixes for v17.0 MR10 EAL4+, v17.5 MR16 and MR17, v18.0 MR5(-1) and MR6, v18.5 MR1 and MR2, and v19.0 EAP published on March 23, 2022
Hotfixes for unsupported EOL versions v17.5 MR12 through MR15, and v18.0 MR3 and MR4 published on March 23, 2022
Hotfixes for unsupported EOL version v18.5 GA published on March 24, 2022
Hotfixes for v18.5 MR3 published on March 24, 2022
Hotfixes for unsupported EOL version v17.5 MR3 published on April 4, 2022
Fix included in v19.0 GA and v18.5 MR4 (18.5.4)
Users of older versions of Sophos Firewall are required to upgrade to receive the latest protections and this fix

INDICATOR'S OF COMPROMISE (IOCS):

At this time, there are no known IoCs associated with CVE-2022-1040. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, reach out to your Avertium Service Delivery Manager or Account Executive.