Full Report
Sophos has released hotfixes to address three security flaws in Sophos Firewall products that could be exploited to achieve remote code execution and allow privileged system access under certain conditions. Of the three, two are rated Critical in severity. There is currently no evidence that the shortcomings have been exploited in the wild. The list of vulnerabilities is as follows -
Analysis Summary
# Vulnerability: Critical and High Flaws in Sophos Firewall Allowing RCE and Privileged Access
## CVE Details
- CVE ID: CVE-2024-12727, CVE-2024-12728, CVE-2024-12729
- CVSS Score: 9.8 (Critical) for CVE-2024-12727 and CVE-2024-12728; 8.8 (High) for CVE-2024-12729
- CWE: SQL Injection (Implied for CVE-2024-12727)
## Affected Systems
- **Products:** Sophos Firewall
- **Versions:** Sophos Firewall versions 21.0 GA (21.0.0) and older.
- **Configurations:**
- **CVE-2024-12727:** Requires Secure PDF eXchange (SPX) to be enabled and the firewall running in High Availability (HA) mode. Affects ~0.05% of devices.
- **CVE-2024-12728:** Requires SSH to be enabled, exploiting a weak hardcoded SSH passphrase used during HA cluster initialization. Affects ~0.5% of devices.
## Vulnerability Description
Sophos addressed three critical security flaws allowing remote code execution (RCE) and privileged access:
1. **CVE-2024-12727 (Critical, CVSS 9.8):** A pre-authentication SQL injection vulnerability within the email protection feature that could lead to RCE under specific HA and SPX configurations.
2. **CVE-2024-12728 (Critical, CVSS 9.8):** A weak credentials issue arising from a potentially static/non-random default SSH login passphrase used for HA cluster initialization, which remains present after establishment, granting privileged access if SSH is enabled.
3. **CVE-2024-12729 (High, CVSS 8.8):** A post-authentication code injection vulnerability present in the User Portal, allowing authenticated attackers to achieve RCE.
## Exploitation
- **Status:** No evidence these flaws have been exploited in the wild.
- **Complexity:** Varies per CVE (CVE-2024-12727 is pre-auth, suggesting lower complexity for external initial access).
- **Attack Vector:** Network (for RCE/SQLi) and potentially Local/Adjacent (for privileged access exploitation post-authentication or via SSH exposure).
## Impact
- **Confidentiality:** High (Potential for full system compromise via RCE).
- **Integrity:** High (Potential for system modification or control via RCE/Privileged Access).
- **Availability:** High (Potential for denial of service or system takeover).
## Remediation
### Patches
Users must update to the following fixed minor releases or apply specific hotfixes:
* **CVE-2024-12727:** Fixed in v21 MR1 and newer. Hotfixes are available for v21 GA, v20 GA & MRs (MR1, MR2, MR3), and v19.5 MRs (MR3, MR4), and v19.0 MR2.
* **CVE-2024-12728:** Fixed in v20 MR3, v21 MR1, and newer. Hotfixes are available for a broad range of v21 GA, v20 GA & MRs (MR1, MR2), v19.5 GA & MRs (MR1-MR4), and v19.0 MR2.
* **CVE-2024-12729:** Fixed in v21 MR1 and newer. Hotfixes are available for v21 GA, v20 GA & MRs (MR1, MR2), v19.5 GA & MRs (MR1-MR4), v19.0 MR2, and v19.0 MR3.
### Workarounds
No specific workarounds were detailed in the summary, but immediate action is recommended due to the critical nature. For CVE-2024-12727, restricting the applicability of SPX/HA features might offer temporary mitigation, though updating is necessary. For CVE-2024-12728, disabling SSH access is a potential mitigation if patching is delayed.
## Detection
- **Indicators of Compromise:** Due to the RCE vulnerabilities, monitoring for unexpected outbound connections, process creation, or configuration changes corresponding to the firewall's operating system would be critical.
- **Detection Methods and Tools:** Sophos recommends users check advisories for specific hotfix application status. General firewall log analysis for suspicious email protection feature input (CVE-2024-12727) or unauthorized SSH login attempts (CVE-2024-12728) should be utilized.
## References
- Vendor Advisory: sophos dot com/en-us/security-advisories/sophos-sa-20241219-sfos-rce
- Related KB Article: support dot sophos dot com/support/s/article/KBA-000010084?language=en_US