Sophos Issues Critical Security Updates for Firewall Products

Sophos has deployed urgent security patches to fix three vulnerabilities in their firewall products, including two critical flaws that could enable unauthorized remote code execution and privileged access.

Sophos Issues Critical Security Updates for Firewall Products

Sophos has deployed urgent security patches to fix three vulnerabilities in their firewall products, including two critical flaws that could enable unauthorized remote code execution and privileged access.

The critical vulnerabilities are:

  1. A pre-authentication SQL injection flaw (CVE-2024-12727, CVSS 9.8) affecting email protection features. This vulnerability requires specific conditions: SPX configuration must be enabled and the firewall must be operating in High Availability mode. This affects roughly 0.05% of deployed devices.
  2. A security weakness involving default SSH credentials (CVE-2024-12728, CVSS 9.8) in High Availability cluster setup. The preset SSH passphrase remains active after cluster initialization, potentially exposing privileged access if SSH is enabled. This impacts approximately 0.5% of devices.
  3. A post-authentication code injection vulnerability (CVE-2024-12729, CVSS 8.8) in the User Portal that could allow authenticated users to execute remote code.

These vulnerabilities affect Sophos Firewall version 21.0 GA and earlier. Patches are available through version-specific hotfixes for all affected versions.

Verification Steps:

  • For CVE-2024-12727: Use Advanced Shell to run "cat /conf/nest_hotfix_status" (Should show 320 or higher)
  • For CVE-2024-12728/12729: Use Device Console to run "system diagnostic show version-info" (Should display HF120424.1 or newer)

Until patches can be implemented, Sophos recommends:

  • Limiting SSH access to dedicated HA links
  • Using custom, complex passphrases for HA configuration
  • Disabling WAN-based SSH access
  • Restricting WAN exposure of User Portal and Webadmin interfaces

This security update follows recent news about Chinese national Guan Tianfeng, who allegedly exploited a different Sophos firewall vulnerability (CVE-2020-12271) to compromise 81,000 devices globally.