Pierluigi Paganini December 13, 2023

Sophos backports the patch for CVE-2022-3236 for end-of-life (EOL) firewall firmware versions due to ongoing attacks exploiting the issue.

Sophos backports the fix for the critical code injection vulnerability CVE-2022-3236 for end-of-life (EOL) firewall firmware versions after discovering that threat actors are actively exploiting the flaw in attacks in the wild.

The security firm reported that this vulnerability is being used in attacks against a small set of specific organizations, primarily in South Asia. 

In December 2022, Sophos released security patches to address seven vulnerabilities in Sophos Firewall version 19.5, including some arbitrary code execution bugs. The most severe issue addressed by the security vendor is the flaw CVE-2022-3236.

“A code injection vulnerability allowing remote code execution was discovered in the User Portal and Webadmin.” reads the advisory.

In September Sophos warned of this critical code injection security vulnerability (CVE-2022-3236) affecting its Firewall product which was being exploited in the wild. Sophos confirmed that this vulnerability was being used to target a small set of specific organizations, primarily in the South Asia region.

“The vulnerability was originally fixed in September 2022. In December 2023, we delivered an updated fix after identifying new exploit attempts against this same vulnerability in older, unsupported versions of the Sophos Firewall.” reads the update provided by the vendor.

No action is required if organizations have upgraded their firewalls to a supported firmware version after September 2022.

All the vulnerable devices are running end-of-life (EOL) firmware. We immediately developed a patch for certain EOL firmware versions, which was automatically applied to the 99% of affected organizations that have “accept hotfix” turned on.

Attackers commonly hunt for EOL devices and firmware from any technology vendor, so we strongly recommend that organizations upgrade their EOL devices and firmware to the latest versions.”

In January 2023, researchers from cyber security firm VulnCheck scanned internet-facing Sophos Firewalls and found more than 4,000 firewalls that were too old to receive a hotfix.

Below is the list of remediation included in the advisory:

• Ensure you are running a supported version
• Hotfixes for the following versions published on September 21, 2022:
  • v19.0 GA, MR1, and MR1-1
  • v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4
• Hotfixes for the following versions published on September 23, 2022:
  • v18.0 MR3, MR4, MR5, and MR6
  • v17.5 MR12, MR13, MR14, MR15, MR16, and MR17
  • v17.0 MR10
• Hotfixes for the following versions published on December 6, 2023:
  • v19.0 GA, MR1, and MR1-1
• Hotfixes for the following versions published on December 8, 2023:
  • v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4
• Hotfixes for the following versions published on December 11, 2023:
  • v17.0 MR10
• Fix included in v18.5 MR5 (18.5.5), v19.0 MR2 (19.0.2), v19.5 GA and above
• Users of older versions of Sophos Firewall are required to upgrade to receive the latest protections, and this fix

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, command injection)