Skip to main content

Critical vulnerabilities could lead to SQL injection, unauthorised access, or RCE

Threat ID:CC-4595
Threat Severity:Medium
Published:23 December 2024 2:22 PM

Summary

Critical vulnerabilities could lead to SQL injection, unauthorised access, or RCE 

Affected platforms

The following platforms are known to be affected:

Threat details

SSL-VPN and firewall appliances are popular targets for attackers

SSL-VPN and firewall appliances are internet-facing by design and are frequently targeted by attackers. Vulnerabilities in SSL-VPN and firewall appliances are often exploited soon after official disclosure so organisations are urged to apply security updates as soon as practicable.


Introduction

Sophos has released a critical advisory addressing two critical and one high severity vulnerability in its firewall product, simply known as Sophos Firewall. 

  • CVE-2024-12727 is a pre-authentication SQL injection vulnerability in the email protection feature which could allow an attacker to achieve remote code execution (RCE) and access to the reporting database. CVE-2024-12727 has a CVSSv3 score of 9.8 and affects firewalls with a specific configuration where Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability mode. 
  • CVE-2024-12728 is a weak credentials vulnerability with a CVSSv3 score of 9.8. The suggested and non-random Secure Shell (SSH) login passphrase for High Availability configuration remains active after initialisation, potentially exposing a high privileged system account. 
  • CVE-2024-12729 has a CVSSv3 score of 8.8 and is a code injection vulnerability in the User Portal. If exploited, an authenticated attacker could achieve RCE.

Remediation advice

Affected organisations are encouraged to review the Sophos advisory sophos-sa-20241219-sfos-rce and apply the relevant hotfixes as soon as is practicable.

Additional workarounds are described below.

Remediation steps

   
Guidance

CVE-2024-12728

To mitigate the issue of the SSH passphrase (used during deployment of HA ports) remaining active, organisations are encouraged to ensure that:

  • SSH access is restricted to only the dedicated HA link that is physically separate
  • HA is reconfigured using a sufficiently long and random custom passphrase

Sophos recommends to disable WAN access via SSH and instead use VPN and/or Sophos Central for remote access and management.


https://www.sophos.com/en-us/security-advisories/sophos-sa-20241219-sfos-rce
Guidance

CVE-2024-12729

  • Organisations can protect themselves from external attackers by ensuring their User Portal and Webadmin are not exposed to WAN.

https://www.sophos.com/en-us/security-advisories/sophos-sa-20241219-sfos-rce

Definitive source of threat updates

CVE Vulnerabilities

StatusPublished
CVE-2024-12727A pre-auth SQL injection vulnerability in the email protection feature of Sophos Firewall versions older than 21.0 MR1 (21.0.1) allows access to the reporting database and can lead to remote code execution if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode.
StatusPublished
CVE-2024-12728A weak credentials vulnerability potentially allows privileged system access via SSH to Sophos Firewall older than version 20.0 MR3 (20.0.3).
StatusPublished
CVE-2024-12729A post-auth code injection vulnerability in the User Portal allows authenticated users to execute code remotely in Sophos Firewall older than version 21.0 MR1 (21.0.1).

Last edited: 23 December 2024 2:22 pm

Back to top