Sophos fixes critical flaws in their Sophos Firewall product

Sophos has patched three vulnerabilities in its Sophos Firewall product that could allow remote unauthenticated hackers to compromise the device.

Vulnerability summary

• CVE-2024-12727 (CVSS score 9.8), is a pre-authentication SQL injection flaw in the email protection feature. This vulnerability could lead to remote code execution, though it requires a specific configuration combining Secure PDF eXchange (SPX) with High Availability mode. While severe, it affects only about 0.05% of deployed devices.
• CVE-2024-12728 (CVSS score 9.8), involves SSH access credentials. The system's suggested SSH login passphrase for High Availability cluster initialization remained active after setup, potentially exposing privileged system accounts on devices with SSH enabled. This vulnerability impacts approximately 0.5% of devices and was discovered during Sophos' internal security testing.
• CVE-2024-12729 (CVSS score 8.8), rated as high severity, is a post-authentication code injection vulnerability in the User Portal that could allow authenticated users to achieve remote code execution.

Sophos has released hotfixes hacross multiple versions starting from November 26 through December 17, 2024. Permanent fixes are included in newer versions (v21 MR1 and later).

For systems with "Allow automatic installation of hotfixes" enabled (the default setting), no manual action is required

For organizations unable to immediately apply patches, Sophos has provided workarounds:

• For CVE-2024-12728: Restrict SSH access to the dedicated HA link and reconfigure HA using custom random passphrases
• For CVE-2024-12729: Ensure User Portal and Webadmin interfaces are not exposed to WAN
• In both cases, Sophos recommends using VPN and/or Sophos Central for remote access instead of direct WAN access