A significant code injection vulnerability was installed in Sophos Firewall, but it was discovered and exploited no earlier than criminals.
The bug tracked as CVE-2022-3236 exists in the personal portal and webadmin elements of the firewall in versions 19.Zero and earlier. Although not assigned a severity rating for CVSS, Sophos considers it “essential” and is known for its support for remote code execution.
“Sophos has noted that this vulnerability has become accustomed to focusing on a small group of specific organizations, mainly in the South Asian region,” the seller noted in an advisory this month. “We learned about each of these organizations right away.”
The U.K. security software program vendor rolled out a patch last week for supported variants (v17.Zero to v19.0) and likewise offered a workaround, including the next disabling WAN access to personal portals and network administrators .
Sophos also mentioned that it is continuing to investigate and may provide more details at a later date.
As of Tuesday, the security store’s blog frequently described vulnerabilities and exploits affecting distributors of different software programs, but did not point out its personally significant firewall flaws.
Still, different software program distributors and security researchers do Weighing to the Sophos bug and warned of the “excessive” potential for mass exploitation. At least 28 exploited vulnerabilities identified by CISA contain code injection, Immanuel Chavoya tweet:
🚨 RCE in Sophos Firewall was exploited in WildCVE-2022-3236 This is likely to be exploited at scale as the vulnerability relies on code injection (CWE-94), if we look at #CISA KEVs, of which no less than 28 are related to code injection… pic.twitter.com/MgzXCWwgwr
— Emmanuel Chawoya (@FullM3talPacket) September 23, 2022
While Sophos has not disclosed who it believes is exploiting the flaw to focus attention on South Asian groups, the country sponsored by Chinese criminals has been behind earlier attacks over the past 12 months, which focused on one of the Sophos firewalls. important flaws.
Recorded Future’s analysis of some of the activity, released last week, attributed it to Beijing-linked workers who were seen exploiting a vulnerability in the software program vendor’s Sophos Firewall in April.
This early important remote code execution vulnerability, tracked as CVE-2022-1040, was also used to focus on South Asian organizations. According to Recorded Future, no fewer than three Chinese government-sponsored teams exploited the vulnerability to initially gain unauthorized access to the victim’s network.
Sophos launched its own detection in June, reporting that no fewer than two high-level persistent risk teams exploited CVE-2022-1040 before it was able to release a patch. The vulnerability is used to send malware on tainted gadgets.
Malware programs allow attackers to install backdoor tools and steal sensitive knowledge, as well as various nefarious behaviors; write, learn, and manipulate information and settings about infected gadgets; and in some cases gain full management of the environment in which they run. ®
Sophos fixes basic code injection bug in Exploit • The Register