Security software company Sophos has warned of cyberattacks
targeting a recently addressed critical vulnerability in its
firewall product.
The issue, tracked as CVE-2022-3236[1]
(CVSS score: 9.8), impacts Sophos Firewall v19.0 MR1 (19.0.1) and
older and concerns a code injection vulnerability in the User
Portal and Webadmin components that could result in remote code
execution.
The company said[2]
it “has observed this vulnerability being used to target a small
set of specific organizations, primarily in the South Asia region,”
adding it directly notified these entities.
As a workaround, Sophos is recommending that users take steps to
ensure that the User Portal and Webadmin are not exposed to WAN.
Alternatively, users can update to the latest supported version
–
- v19.5 GA
- v19.0 MR2 (19.0.2)
- v19.0 GA, MR1, and MR1-1
- v18.5 MR5 (18.5.5)
- v18.5 GA, MR1, MR1-1, MR2, MR3, and MR4
- v18.0 MR3, MR4, MR5, and MR6
- v17.5 MR12, MR13, MR14, MR15, MR16, and MR17
- v17.0 MR10
Users running older versions of Sophos Firewall are required to
upgrade to receive the latest protections and the relevant
fixes.
The development marks the second time a Sophos Firewall
vulnerability has come under active attacks within a year. Earlier
this March, another flaw (CVE-2022-1040[3]) was used to target
organizations in the South Asia region.
Then in June 2022, cybersecurity firm Volexity shared more
details of the attack campaign, pinning the intrusions on a Chinese
advanced persistent threat (APT) known as DriftingCloud[4].
Sophos firewall appliances have also previously come under
attack to deploy what’s called the Asnarök trojan[5]
in an attempt to siphon sensitive information.
References
- ^
CVE-2022-3236
(nvd.nist.gov) - ^
said
(www.sophos.com) - ^
CVE-2022-1040
(thehackernews.com) - ^
DriftingCloud
(thehackernews.com) - ^
Asnarök
trojan (news.sophos.com)
Read more https://thehackernews.com/2022/09/hackers-actively-exploiting-new-sophos.html