More than 4,400 servers exposed to the Internet are running versions of the Sophos Firewall vulnerable to a critical exploit that allows hackers to run malicious code, a researcher has warned.
CVE-2022-3236 is a code injection vulnerability that allows remote code execution in the Sophos Firewalls user portal and webadmin. It carries a severity rating of 9.8 out of 10. At Sophos the vulnerability disclosed Last September, the company warned that it had been exploited in the wild as a zero-day. The security company asked customers to install a hotfix and later a full patch to prevent infection.
After recently published research, more than 4,400 servers running the Sophos firewall remain vulnerable. That accounts for about 6 percent of all Sophos firewalls, security firm VulnCheck said, citing numbers from a Shodan search.
“More than 99% of internet-facing Sophos firewalls have not been updated to versions that include the official fix for CVE-2022-3236,” wrote VulnCheck researcher Jacob Baines. “But about 93% are running versions eligible for a hotfix, and the default behavior of the firewall is to download and apply hotfixes automatically (unless disabled by an administrator). It’s likely that nearly all servers eligible for a hotfix have received one, although bugs do happen. This leaves more than 4,000 firewalls (or around 6% of internet-facing Sophos Firewalls) still running versions that have not received a hotfix and are therefore vulnerable.”
The researcher said he was able to create a working exploit for the vulnerability based on the technical descriptions in this advice from the Zero Day Initiative. The research’s implicit warning: should exploit code become public, there is no shortage of servers to infect.
Baines urged users of Sophos firewalls to ensure they are patched. He also advised users of vulnerable servers to look for two indicators of a possible compromise. The first is the log file at: /logs/csc.log and the second is /log/validationError.log. If either the_Discriminator field is included in a login request, there was likely a successful or unsuccessful attempt to exploit the vulnerability, he said.
The bright spot in the research is that mass exploitation is not likely due to a CAPTCHA that has to be filled out by web clients during authentication.
“The vulnerable code is only reached after the CAPTCHA is validated,” Baines wrote. “A failed CAPTCHA will cause the exploit to fail. Solving CAPTCHAs programmatically is not impossible, but it is a high hurdle for most attackers. Most internet-facing Sophos firewalls appear to have login CAPTCHA enabled, meaning this vulnerability is unlikely to have been successfully exploited at scale even at the best of times.”
This article was previously published on Source link
