More than 4,400 internet-exposed servers are running versions of the Sophos Firewall that are vulnerable to a critical exploit that could allow hackers to execute malicious code, a researcher warned.
CVE-2022-3236 is a code injection vulnerability that could allow remote code execution in the user portal and web admin of Sophos Firewalls. It has a severity score of 9.8 out of 10. When Sophos disclosed the vulnerability last September, the company warned that it had been exploited in the wild as a zero-day. The security company urged customers to install a hotfix and later a full patch to prevent infection.
According to recently published research, more than 4,400 servers running the Sophos firewall remain vulnerable. That accounts for about 6 percent of all Sophos firewalls, security firm VulnCheck said, citing numbers from a search on Shodan.
“More than 99% of internet-facing Sophos firewalls have not been upgraded to versions with the official fix for CVE-2022-3236,” wrote VulnCheck researcher Jacob Baines. “However, about 93% are running hotfix eligible versions, and the firewall’s default behavior is to automatically download and apply hotfixes (unless disabled by an administrator). It is likely that almost all servers eligible for a hotfix have received one, although errors can occur. That still leaves over 4,000 firewalls (or about 6% of Internet-facing Sophos Firewalls) running versions that have not received a hotfix and are therefore vulnerable.”
The researcher said he was able to create a working exploit for the vulnerability based on technical descriptions in this advisory from the Zero Day Initiative. The study’s implicit warning: If exploit code becomes public, there is no shortage of servers that can be infected.
Baines urged users of the Sophos firewall to make sure they’re patched. He also advised users of vulnerable servers to check for two indicators of potential compromise. The first is the log file located at: /logs/csc.log, and the second is /log/validationError.log. When either contains the_discriminator field in a login request, there was likely an attempt, successful or otherwise, to exploit the vulnerability, he said.
The silver lining in the research is that mass exploitation is not likely due to a CAPTCHA that must be completed during authentication by web clients.
“The vulnerable code is not reached until the CAPTCHA is validated,” Baines wrote. “A failed CAPTCHA will cause the exploit to fail. While not impossible, solving CAPTCHAs programmatically is a major hurdle for most attackers. Most internet-facing Sophos firewalls appear to have the CAPTCHA login enabled, which means that even at the most opportune times, this vulnerability probably would not have been successfully exploited on a large scale.”