Remote Code Execution in Sophos Firewall Software
Threat actors including APT DrifitingCloud (a Chinese APT) are actively exploiting CVE-2022-3236. This RCE vulnerability affects the Sophos Firewall v19.0 MR (19.0.1) and older webadmin and user portal components.
The attack does not require any user interaction and can be executed remotely. The impact to confidentiality, integrity and availability is high.
A code injection vulnerability allowing remote code execution was discovered in the User Portal and Webadmin components of Sophos Firewall. The vulnerability has been fixed.
Sophos has observed this vulnerability being used to target a small set of specific organizations, primarily in the South Asia region.
The Centre for Cyber security Belgium recommends system administrators to patch vulnerable systems as soon as possible and analyze system and network logs for any suspicious activity.
The following link shows how to check if the hotfix is currently installed: https://support.sophos.com/support/s/article/KB-000044539?language=en_US.
The CCB recommends organizations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
When applying patches to systems that have been vulnerable to an RCE exploit, a proactive threat assessment should be performed to verify no exploitation occurred in the time between a patch becoming available and being applied.