Follow Us

Sophos Firewall Vulnerabilities: Critical Fixes You Shouldn’t Ignore

·

Martin Baker
Sophos Firewall

Sophos has rolled out hotfixes to fix three serious security flaws in its firewall products. These vulnerabilities could let attackers execute remote code and gain privileged system access under specific conditions. While there’s no sign of active exploitation, the risks are too significant to overlook.

The Key Vulnerabilities

  1. Weak SSH Credentials (CVE-2024-12728, CVSS Score: 9.8)
    • During High Availability (HA) cluster setup, a non-random SSH passphrase is suggested.
    • This passphrase stays active after setup, creating a potential access point for attackers if SSH is enabled.
    • Affects around 0.5% of devices.
  2. SQL Injection Vulnerability (CVE-2024-12727, CVSS Score: 9.8)
    • Found in the email protection feature.
    • If Secure PDF eXchange (SPX) is enabled and the firewall is running in HA mode, attackers could execute remote code.
    • Affects about 0.05% of devices.
  3. Post-Authentication Code Injection (CVE-2024-12729, CVSS Score: 8.8)
    • Located in the User Portal.
    • Authenticated users can exploit this flaw to execute remote code.

Which Versions Are Affected?

These vulnerabilities impact Sophos Firewall versions 21.0 GA (21.0.0) and earlier.

Patches Are Available For:

  • CVE-2024-12728: v20 MR3, v21 MR1, and newer.
  • CVE-2024-12727: v21 MR1 and newer.
  • CVE-2024-12729: v21 MR1 and newer.

Verify Your Hotfix Status

  • For CVE-2024-12727: Run this in the Sophos Firewall console:cat /conf/nest_hotfix_statusIf the value is 320 or higher, the patch is in place.
  • For CVE-2024-12728 & CVE-2024-12729: Use this command:system diagnostic show version-infoLook for HF120424.1 or later.

Mitigation Steps While Waiting to Patch

If you can’t apply the updates immediately:

  • Restrict SSH access to a physically separate HA link.
  • Use a long, random SSH passphrase.
  • Disable WAN access for SSH.
  • Keep the User Portal and Webadmin inaccessible from WAN.

Why It’s Critical

Firewall vulnerabilities are a favorite entry point for attackers. Recently, a Chinese national was charged in the U.S. for exploiting a similar flaw (CVE-2020-12271) to compromise over 81,000 Sophos firewalls globally.

Don’t wait. Even if the vulnerabilities affect only a small number of devices, their severity means immediate action is necessary. Apply the patches, follow best practices, and keep your firewall secure. It’s better to prevent than to patch under pressure.

Martin Baker
Martin Baker

Martin Baker, Managing Editor at Decoded.cc, harnesses a decade of digital publishing expertise to craft engaging content around technology, data, and culture. He leads cross-functional teams, enforces editorial excellence, and transforms complex ideas into accessible narratives—fueling Decoded.cc’s growth and impact.

Share this:

Other Posts

Latest CVE Advisories

⚠️Advisory Database

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.