Resolved Multiple Vulnerabilities in Sophos Firewall (CVE-2024-12727, CVE-2024-12728, CVE-2024-12729)

Voltar à Visão geral dos comunicados de segurança
Critical
CVE
CVE-2024-12727
CVE-2024-12728
CVE-2024-12729
Updated:
Produto(s)
Sophos Firewall
ID da publicação sophos-sa-20241219-sfos-rce
Versão do artigo 1
Primeira publicação
Solução alternativa Yes

Overview

Sophos has resolved three independent security vulnerabilities in Sophos Firewall.

No action is required for Sophos Firewall customers with the "Allow automatic installation of hotfixes" feature enabled on remediated versions (see Remediation section below). Enabled is the default setting.

CVE IDDescriptionSeverity
CVE-2024-12727A pre-auth SQL injection vulnerability in the email protection feature allowing access to the reporting database of Sophos Firewall could lead to remote code execution, if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode. The issue, impacting about 0.05% of devices, was discovered and responsibly disclosed to Sophos by an external security researcher via the Sophos bug bounty program.CRITICAL
CVE-2024-12728The suggested and non-random SSH login passphrase for High Availability (HA) cluster initialization remained active after the HA establishment process completed, potentially exposing a privileged system account on the Sophos Firewall if SSH is enabled, affecting approximately 0.5% of devices. The issue was discovered by Sophos during internal security testing.CRITICAL
CVE-2024-12729A post-auth code injection vulnerability in the User Portal allowing authenticated users to gain remote code execution was discovered and responsibly disclosed to Sophos by an external security researcher via the Sophos bug bounty program.HIGH


Applies to the following Sophos product(s) and version(s)

Sophos Firewall v21.0 GA (21.0.0) and older

Remediation

  • Ensure you are running a supported version
  • CVE-2024-12727:
    • Hotfixes for the following versions published on:
      • Dec 17 2024 for v21 GA, v20 GA, v20 MR1, v20 MR2, v20 MR3, v19.5 MR3, v19.5 MR4, v19.0 MR2
    • Fix included in v21 MR1 and newer
  • CVE-2024-12728:
    • Hotfixes for the following versions published on:
      • Nov 26 2024 for v21 GA, v20 GA, v20 MR1, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2
      • Nov 27 2024 for v20 MR2
    • Fix included in v20 MR3, v21 MR1 and newer
  • CVE-2024-12729:
    • Hotfixes for the following versions published on:
      • Dec 04 2024 for v21 GA, v20 GA, v20 MR1, v20 MR2
      • Dec 05 2024 for v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v19.0 MR3
      • Dec 10 2024 for v20 MR3
    • Fix included in v21 MR1 and newer
  • Users of older versions of Sophos Firewall are required to upgrade to receive the latest protections, and this fix

Verifying the hotfix

  • To confirm that the hotfix has been applied to your firewall, please refer to KBA-000010084

Workaround

CVE-2024-12728

To mitigate the issue of the SSH passphrase (used during deployment of HA ports) remaining active, customers can ensure that:

  • SSH access is restricted to only the dedicated HA link that is physically separate, and/or
  • HA is reconfigured using a sufficiently long and random custom passphrase

Sophos recommends to disable WAN access via SSH by following device access best practices and instead use VPN and/or Sophos Central for remote access and management.

CVE-2024-12729

Customers can protect themselves from external attackers by ensuring their User Portal and Webadmin are not exposed to WAN.

Sophos recommends to disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central for remote access and management.

Vulnerability investigation

Sophos has not observed these vulnerabilities to be exploited at this time.

Related information

Sophos Responsible Disclosure Policy

To learn about Sophos security vulnerability disclosure policies and publications, see the Responsible Disclosure Policy.