CVE-2024-13974
📋 TL;DR
This vulnerability in Sophos Firewall's Up2Date component allows attackers who control the firewall's DNS environment to achieve remote code execution. It affects Sophos Firewall versions older than 21.0 MR1 (20.0.1). Organizations using vulnerable versions are at risk of complete firewall compromise.
💻 Affected Systems
- Sophos Firewall
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete firewall takeover leading to network compromise, data exfiltration, and lateral movement into internal networks.
Likely Case
Attackers gain administrative control of the firewall, enabling traffic interception, rule modification, and credential theft.
If Mitigated
Limited impact with proper network segmentation and DNS security controls in place.
🎯 Exploit Status
Requires DNS control but no authentication. Business logic vulnerability makes exploitation straightforward once DNS is compromised.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.0 MR1 (20.0.1) or later
Vendor Advisory: https://www.sophos.com/en-us/security-advisories/sophos-sa-20250721-sfos-rce
Restart Required: Yes
Instructions:
1. Log into Sophos Firewall admin interface. 2. Navigate to System > Administration > Updates. 3. Check for and apply available updates to version 21.0 MR1 or later. 4. Reboot the firewall after update completion.
🔧 Temporary Workarounds
Restrict DNS Configuration
allLimit DNS server configuration to trusted internal servers only and prevent external DNS control.
Network Segmentation
allIsolate firewall management interfaces from untrusted networks and implement strict DNS traffic filtering.
🧯 If You Can't Patch
- Implement strict DNS security controls and monitoring for DNS hijacking attempts.
- Isolate firewall management interfaces and restrict access to trusted IP addresses only.
🔍 How to Verify
Check if Vulnerable:
Check Sophos Firewall version via admin interface: System > Administration > Updates. Versions older than 21.0 MR1 (20.0.1) are vulnerable.Check Version:
ssh admin@firewall_ip 'show version' or check web interfaceVerify Fix Applied:
Confirm version is 21.0 MR1 (20.0.1) or later in System > Administration > Updates.📡 Detection & Monitoring
Log Indicators:
- Unusual DNS resolution patterns
- Unauthorized configuration changes to Up2Date settings
- Suspicious update attempts
Network Indicators:
- DNS traffic anomalies to/from firewall
- Unexpected outbound connections from firewall management interfaces
SIEM Query:
source="sophos_firewall" AND (event_type="dns_query" AND query_domain NOT IN allowed_domains) OR (event_type="config_change" AND component="up2date")