Overview
Sophos has resolved three independent security vulnerabilities in Sophos Firewall.
No action is required for Sophos Firewall customers with the "Allow automatic installation of hotfixes" feature enabled on remediated versions (see Remediation section below). Enabled is the default setting.
CVE ID | Description | Severity |
---|---|---|
CVE-2024-12727 | A pre-auth SQL injection vulnerability in the email protection feature allowing access to the reporting database of Sophos Firewall could lead to remote code execution, if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode. The issue, impacting about 0.05% of devices, was discovered and responsibly disclosed to Sophos by an external security researcher via the Sophos bug bounty program. | CRITICAL |
CVE-2024-12728 | The suggested and non-random SSH login passphrase for High Availability (HA) cluster initialization remained active after the HA establishment process completed, potentially exposing a privileged system account on the Sophos Firewall if SSH is enabled, affecting approximately 0.5% of devices. The issue was discovered by Sophos during internal security testing. | CRITICAL |
CVE-2024-12729 | A post-auth code injection vulnerability in the User Portal allowing authenticated users to gain remote code execution was discovered and responsibly disclosed to Sophos by an external security researcher via the Sophos bug bounty program. | HIGH |
Applies to the following Sophos product(s) and version(s)
Sophos Firewall v21.0 GA (21.0.0) and older
Remediation
- Ensure you are running a supported version
- CVE-2024-12727:
- Hotfixes for the following versions published on:
- Dec 17 2024 for v21 GA, v20 GA, v20 MR1, v20 MR2, v20 MR3, v19.5 MR3, v19.5 MR4, v19.0 MR2
- Fix included in v21 MR1 and newer
- Hotfixes for the following versions published on:
- CVE-2024-12728:
- Hotfixes for the following versions published on:
- Nov 26 2024 for v21 GA, v20 GA, v20 MR1, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2
- Nov 27 2024 for v20 MR2
- Fix included in v20 MR3, v21 MR1 and newer
- Hotfixes for the following versions published on:
- CVE-2024-12729:
- Hotfixes for the following versions published on:
- Dec 04 2024 for v21 GA, v20 GA, v20 MR1, v20 MR2
- Dec 05 2024 for v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v19.0 MR3
- Dec 10 2024 for v20 MR3
- Fix included in v21 MR1 and newer
- Hotfixes for the following versions published on:
- Users of older versions of Sophos Firewall are required to upgrade to receive the latest protections, and this fix
Verifying the hotfix
- To confirm that the hotfix has been applied to your firewall, please refer to KBA-000010084
Workaround
CVE-2024-12728
To mitigate the issue of the SSH passphrase (used during deployment of HA ports) remaining active, customers can ensure that:
- SSH access is restricted to only the dedicated HA link that is physically separate, and/or
- HA is reconfigured using a sufficiently long and random custom passphrase
Sophos recommends to disable WAN access via SSH by following device access best practices and instead use VPN and/or Sophos Central for remote access and management.
CVE-2024-12729
Customers can protect themselves from external attackers by ensuring their User Portal and Webadmin are not exposed to WAN.
Sophos recommends to disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central for remote access and management.
Vulnerability investigation
Sophos has not observed these vulnerabilities to be exploited at this time.
Related information
- https://www.cve.org/CVERecord?id=CVE-2024-12727
- https://www.cve.org/CVERecord?id=CVE-2024-12728
- https://www.cve.org/CVERecord?id=CVE-2024-12729
- https://docs.sophos.com/nsg/sophos-firewall/latest/Help/en-us/webhelp/onlinehelp/HighAvailablityStartupGuide/HARequirements/HAPorts/index.html
- https://docs.sophos.com/nsg/sophos-firewall/latest/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Administration/DeviceAccess/index.html
- https://support.sophos.com/support/s/article/KBA-000010084