CVE-2024-12729
📋 TL;DR
This is a post-authentication code injection vulnerability in Sophos Firewall's User Portal that allows authenticated users to execute arbitrary code remotely. It affects Sophos Firewall versions older than 21.0 MR1 (21.0.1). Organizations using vulnerable versions are at risk of compromise by authenticated attackers.
💻 Affected Systems
- Sophos Firewall
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to gain persistent access, exfiltrate sensitive data, pivot to internal networks, and deploy ransomware or other malware.
Likely Case
Authenticated attackers (including compromised user accounts) executing arbitrary commands to steal credentials, modify firewall rules, or establish backdoors.
If Mitigated
Limited impact due to strong authentication controls, network segmentation, and monitoring preventing successful exploitation.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authentication is obtained. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.0 MR1 (21.0.1) or later
Vendor Advisory: https://www.sophos.com/en-us/security-advisories/sophos-sa-20241219-sfos-rce
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download and install Sophos Firewall version 21.0.1 or later from Sophos support portal. 3. Apply the update through the firewall web interface. 4. Reboot the firewall as required.
🔧 Temporary Workarounds
Disable User Portal
allTemporarily disable the User Portal feature to prevent exploitation while planning upgrade.
Restrict User Portal Access
allLimit User Portal access to specific IP ranges or networks using firewall rules.
🧯 If You Can't Patch
- Implement strict access controls and multi-factor authentication for all User Portal accounts
- Monitor User Portal access logs for suspicious activity and implement network segmentation
🔍 How to Verify
Check if Vulnerable:
Check Sophos Firewall version in web interface under System > Administration > System Information. If version is older than 21.0.1, system is vulnerable.Check Version:
ssh admin@firewall_ip 'cat /etc/version' or check web interfaceVerify Fix Applied:
After update, verify version shows 21.0.1 or higher in System > Administration > System Information.📡 Detection & Monitoring
Log Indicators:
- Unusual User Portal login patterns
- Suspicious command execution in system logs
- Multiple failed authentication attempts followed by successful login
Network Indicators:
- Unexpected outbound connections from firewall
- Anomalous traffic patterns from firewall management interface
SIEM Query:
source="sophos_firewall" AND (event_type="user_portal_access" AND user_agent="*" OR command="*" )