CVE-2024-13973
📋 TL;DR
This CVE describes a post-authentication SQL injection vulnerability in Sophos Firewall's WebAdmin interface. Attackers with administrative credentials can exploit this to execute arbitrary SQL commands, potentially leading to remote code execution. Only Sophos Firewall versions older than 21.0 MR1 (21.0.1) are affected.
💻 Affected Systems
- Sophos Firewall
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Administrator-level attacker achieves full system compromise through SQL injection leading to arbitrary code execution, potentially gaining complete control over the firewall.
Likely Case
Privileged attacker with WebAdmin access executes malicious SQL commands to extract sensitive data, modify configurations, or achieve limited code execution.
If Mitigated
With proper access controls and network segmentation, impact is limited to the firewall management interface with no lateral movement.
🎯 Exploit Status
Exploitation requires valid administrator credentials for WebAdmin interface. SQL injection can be leveraged for RCE through various techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.0 MR1 (21.0.1) or later
Vendor Advisory: https://www.sophos.com/en-us/security-advisories/sophos-sa-20250721-sfos-rce
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download Sophos Firewall 21.0.1 or later from Sophos support portal. 3. Upload firmware via WebAdmin. 4. Apply update. 5. Reboot firewall as prompted.
🔧 Temporary Workarounds
Restrict WebAdmin Access
allLimit WebAdmin interface access to specific trusted IP addresses only.
Configure firewall rules to restrict WebAdmin (port 4444) access to management networks only.
Disable Unused WebAdmin
allIf WebAdmin is not required, disable it and use CLI or other management methods.
Navigate to Administration > Device Access > WebAdmin and disable the service.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate firewall management interface from untrusted networks.
- Enforce strong authentication policies and monitor for suspicious administrator account activity.
🔍 How to Verify
Check if Vulnerable:
Check Sophos Firewall version via WebAdmin dashboard or CLI. If version is older than 21.0.1, system is vulnerable.Check Version:
ssh admin@firewall-ip 'show version' or check WebAdmin dashboard System Information.Verify Fix Applied:
After patching, verify version shows 21.0.1 or higher in WebAdmin dashboard or via CLI version check.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in WebAdmin logs
- Multiple failed authentication attempts followed by successful login
- Unexpected configuration changes via WebAdmin
Network Indicators:
- Unusual traffic patterns to WebAdmin port (4444)
- SQL injection patterns in HTTP requests to WebAdmin
SIEM Query:
source="sophos_firewall" AND (url="*WebAdmin*" AND (message="*sql*" OR message="*injection*" OR message="*exec*"))