Resolved RCE in Sophos Firewall (CVE-2022-1040)

An authentication bypass vulnerability (CVE-2022-1040) allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall. The vulnerability has been fixed and hotfix should be applied through a feature “Allow automatic installation of hotfixes” which is enabled by default.

What’s the impact of this announcement?

Critical

Product(s) affected:

Sophos Firewall v18.5 MR3 (18.5.3) and older

What actions do I need to do?

There is no action required for Sophos Firewall customers with the “Allow automatic installation of hotfixes” feature enabled. Enabled is the default setting.
As a general workaround against the vulnerability, Sophos advises customers to secure their User Portal and Webadmin interfaces:

Customers can protect themselves from external attackers by ensuring their User Portal and Webadmin are not exposed to WAN. Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central for remote access and management.

To confirm that the hotfix has been applied to the firewall, please refer to: https://support.sophos.com/support/s/article/KB-000043853?language=en_US