In March 2022, Sophos fixed a critical vulnerability in its Sophos Firewall products. The vulnerability is tracked as CVE-2022-1040 and allows for remote code execution (RCE). CVE-2022-1040 is an authentication bypass vulnerability located in the User Portal and Webadmin areas of Sophos Firewall.
The vulnerability has a CVSS rating of 9.8 and is critical in severity. Although the flaw was patched in March by Sophos, Shadow Server, a resource for internet security reporting, observed an uptick of scans testing for the vulnerability. According to Shadow Server, a proof of concept (POC) was published on May 9, 2022 and is currently being used.
Sophos stated that there is no action required for customers with the “Allow automatic installation of hotfixes” feature enabled because “enabled” is the default setting. However, if this feature is not enabled, organizations need to manually patch. So far, the vulnerability has been used to target organizations in the South Asia region, but any organization who has older versions or end-of-life products may need to update manually.
Sophos further stated that customers who need a workaround for CVE-2022-1040 should secure their User Portal Webadmin interfaces – making sure they are not exposed to WAN. Follow the device access best practices to disable WAN access to the User Portal and Webadmin.
Expanding endpoints, cloud security computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium’s offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills.
To identify the source of your breach and the scope that it reached; you’ll want to include Avertium’s DFIR services in your protection plan. We offer DFIR (Digital Forensics and Incident Response) to mitigate damage from a successful breach.
Implement XDR as a prevention method. Our XDR is a combination of monitoring software like LogRhythm, Microsoft Azure Sentinel, or AlienVault, combined with endpoint protection such as SentinelOne. XDR platforms enable cybersecurity through a technology focus by collecting, correlating, and analyzing event data from any source on the network. This includes endpoints, applications, network devices, and user interactions.
For remediation, please see the following hotfixes published by Sophos:
At this time, there are no known IoCs associated with CVE-2022-1040. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, reach out to your Avertium Service Delivery Manager or Account Executive.
Resolved RCE in Sophos Firewall (CVE-2022-1040) | Sophos
Patch Released For Sophos Firewall RCE Vulnerability (CVE-2022-1040) - Blumira
Critical Sophos Firewall vulnerability allows remote code execution (bleepingcomputer.com)
Device access - Sophos Firewall
GitHub - killvxk/CVE-2022-1040: may the poc with you
CVE - CVE-2022-1040 (mitre.org)
Related Reading: What is Mobile App Testing?
Contact us for more information about Avertium’s managed security service capabilities.