Sophos has issued urgent hotfixes addressing three significant security vulnerabilities in their firewall products, with two rated as Critical. These flaws could potentially enable remote code execution and privileged system access.
Key Vulnerabilities:
1. CVE-2024-12727 (CVSS: 9.8)
– Pre-authentication SQL injection vulnerability
– Affects email protection feature with SPX configuration
– Impacts approximately 0.05% of devices
2. CVE-2024-12728 (CVSS: 9.8)
– Weak credentials vulnerability in SSH login
– Related to High Availability cluster initialization
– Affects roughly 0.5% of devices
3. CVE-2024-12729 (CVSS: 8.8)
– Post-authentication code injection vulnerability
– Enables remote code execution through User Portal
Affected Versions:
– Sophos Firewall versions 21.0 GA and older
Recommended Security Measures:
1. Apply available hotfixes immediately
2. Restrict SSH access to dedicated HA link
3. Use strong, random custom passphrases
4. Disable WAN access via SSH
5. Limit User Portal and Webadmin WAN exposure
Verification Steps:
– For CVE-2024-12727: Run “cat /conf/nest_hotfix_status” (value should be ≥320)
– For CVE-2024-12728/12729: Run “system diagnostic show version-info” (should show HF120424.1 or later)
No evidence suggests these vulnerabilities have been exploited in the wild. Users are strongly advised to implement the recommended security measures and apply the appropriate hotfixes promptly.