Aperçu
Sophos Firewall versions 18.5 MR3 and older contain a critical authentication bypass vulnerability in the User Portal and Webadmin interfaces. This vulnerability allows remote attackers to bypass authentication controls and potentially execute arbitrary code without requiring valid credentials. La vulnérabilité a été divulguée le March 25, 2022. CISA a identifié CVE-2022-1040 comme étant exploitée mais n'est pas actuellement connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
Sophos Firewall contains insufficient authentication checks in both the User Portal and Webadmin components. These weaknesses allow unauthenticated remote attackers to access protected functionality without providing valid credentials. The vulnerability can be exploited to bypass authentication mechanisms entirely, potentially leading to code execution and full system compromise.
La vulnérabilité est classifiée comme CWE-287 (Improper Authentication) etCWE-306 (Missing Authentication for Critical Function) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indiquant sa nature critical.
Impact
An unauthenticated remote attacker can completely bypass authentication on the Sophos Firewall, potentially gaining administrative access to sensitive firewall management interfaces. This could lead to arbitrary code execution, unauthorized access to network traffic, modification of firewall rules, theft of sensitive data, lateral movement into the protected network, and complete compromise of the firewall's security posture.
Mitigation et contournements
Upgrade Sophos Firewall to version 18.5 MR4 or later. For customers unable to immediately upgrade, Sophos strongly recommends implementing network-level access controls to restrict access to the User Portal and Webadmin interfaces to trusted networks only. Les versions suivantes incluent les correctifs nécessaires : Sophos Firewall 18.5 MR4, Sophos Firewall 19.0.
Comme contournements temporaires : restrict network access to the sophos firewall user portal (typically port 4444) and webadmin interface (typically port 4443) using firewall rules, network segmentation, or access control lists. only allow connections from trusted administrative networks or vpn connections.; deploy the firewall behind an additional network access layer or reverse proxy that enforces authentication before traffic reaches the sophos firewall interfaces., et disable the user portal and webadmin interfaces if not actively required, and manage the firewall through alternative methods (e.g., cli) until patching is completed..
Recommandation de CISA : Apply updates per vendor instructions.
Ressources additionnelles
Source : Ce rapport a été généré par IA
