CVE-2024-12727
📋 TL;DR
This critical vulnerability allows unauthenticated attackers to execute SQL injection attacks against Sophos Firewall's email protection feature. Successful exploitation can lead to database access and potentially remote code execution when specific configurations are enabled. Organizations running affected Sophos Firewall versions with email protection enabled are at risk.
💻 Affected Systems
- Sophos Firewall
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with full system compromise, allowing attackers to take complete control of the firewall, pivot to internal networks, and exfiltrate sensitive data.
Likely Case
Database access and information disclosure, potentially leading to credential theft, configuration extraction, and lateral movement opportunities.
If Mitigated
Limited impact with proper network segmentation and access controls, potentially only allowing database querying without code execution.
🎯 Exploit Status
Pre-authentication SQL injection typically has low exploitation complexity. The RCE component requires specific configurations but SQL injection alone provides significant access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.0 MR1 (21.0.1) or later
Vendor Advisory: https://www.sophos.com/en-us/security-advisories/sophos-sa-20241219-sfos-rce
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download and install Sophos Firewall version 21.0.1 or later from Sophos Central or support portal. 3. Apply the update through the firewall web interface. 4. Reboot the firewall as required. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable Email Protection
allTemporarily disable the vulnerable email protection feature to prevent exploitation while planning patching.
Navigate to: Protect > Email > General > Uncheck 'Enable email protection'
Network Access Restrictions
allRestrict access to the email protection service to trusted IP addresses only.
Configure firewall rules to limit access to email protection ports (typically 25, 587, 465) to authorized sources only.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the firewall from critical internal resources
- Enable enhanced logging and monitoring for SQL injection attempts against email protection services
🔍 How to Verify
Check if Vulnerable:
Check Sophos Firewall version in web interface: System > Administration > System Information. If version is older than 21.0.1 and email protection is enabled, the system is vulnerable.Check Version:
ssh admin@firewall_ip 'show version' or check web interface at System > Administration > System InformationVerify Fix Applied:
Verify version is 21.0.1 or newer in System > Administration > System Information. Confirm email protection functionality works correctly after update.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in firewall logs
- Multiple failed authentication attempts to email protection
- Unexpected database access patterns
- Unusual process execution on firewall
Network Indicators:
- SQL injection patterns in SMTP/email traffic
- Unexpected outbound connections from firewall
- Anomalous database queries from firewall IP
SIEM Query:
source="sophos_firewall" AND ("sql" OR "injection" OR "database" OR "spx") AND severity=HIGH