Full Report
Sophos Firewall is a network security solution that can be deployed essentially anywhere. The application exposes a web admin console on port 4444 and a user portal on port 443. The application uses Jetty as a web server, sits behind Apache and is written in Java. There is an additional local server that does a fair amount of the work downstream. When this service validates JSON, it is done via a Perl script. Each field name is associated with a JSON object describing the mapping between field values and object names in Perl. In order to do this, in some cases, the eval() function is used to turn the JSON data into Perl objects. Overall, the bug is a fun code injection attack with a weird flow. The article is incredibly verbose, explaining the inter-working of JSON and HTTP along the way. Additionally, the path for attack in the code is described in excruciating detail without much context. I wish the report was less verbose as it makes it hard to find the code stuff.
Analysis Summary
# Vulnerability: Sophos Firewall Arbitrary Code Execution via JSON Validation Flaw
## CVE Details
- CVE ID: CVE-2022-3236
- CVSS Score: 9.8 (Critical)
- CWE: CWE-94 (Improper Control of Generation of Code ('Code Injection'))
## Affected Systems
- Products: Sophos Firewall (SFOS)
- Versions: v19.0 MR1 (19.0.1) and previous versions.
- Configurations: Affects services accessible via the User Portal (TCP 443) and Web Admin Console (TCP 4444).
## Vulnerability Description
The vulnerability exists due to improper validation of JSON keys submitted in the `json` parameter sent to the Controller endpoint. This occurs when processing configuration and diagnostic requests via the Jetty web server component. The backend Perl script (`CyberAPIArch.pm`) uses the `eval()` function to process specific JSON structures, particularly when a `__discriminator` key is present. An attacker can inject malicious data via specific JSON field names, leading to code execution within the Perl processing layer, which ultimately grants Remote Code Execution (RCE) with root privileges.
## Exploitation
- Status: Not explicitly stated as exploited in the wild for this CVE, but the report mentions similarity to a previously exploited vulnerability (CVE-2022-1040).
- Complexity: Low (Exploitable remotely and unauthenticated by sending a specially crafted request).
- Attack Vector: Network
## Impact
- Confidentiality: High (Achieving root privileges allows access to sensitive system information).
- Integrity: High (Root access allows arbitrary modification of system state and configuration).
- Availability: High (Root access allows system denial of service or complete control over the appliance).
## Remediation
### Patches
- Refer to the Sophos advisory (SA-20220923) for specific patched versions. Users on versions prior to v19.0 MR1 should apply available updates immediately.
### Workarounds
- Consider blocking external network access to the affected ports (TCP 443 for User Portal and TCP 4444 for Web Admin Console) if they are not strictly required for external access.
## Detection
- Indicators of compromise may include unexpected outbound connections originating from the firewall appliance or suspicious processes spawned by web server components (Jetty/Apache) attempting to execute Perl scripts or shell commands.
- Detection methods should focus on network monitoring for malformed or unusual JSON payloads sent to the Controller endpoint on ports 443 and 4444, particularly those containing keys designed to trigger the flawed parsing logic.
## References
- Vendor Advisory: hxxps://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce
- ZDI Report: hxxps://www.zerodayinitiative.com/blog/2022/10/19/cve-2022-3236-sophos-firewall-user-portal-and-web-admin-code-injection