Sophos issues hotfixes for three critical flaws in XG firewall
Sophos has issued hotfixes to resolve three security vulnerabilities in its Firewall products. These flaws, under certain conditions, could enable remote code execution and grant privileged system access.
Among the three vulnerabilities, two are classified as Critical. At present, there is no indication that these vulnerabilities have been exploited in the wild. The identified vulnerabilities are as follows:
- CVE-2024-12727 (CVSS score: 9.8): A pre-authentication SQL injection vulnerability in the email protection feature, potentially leading to remote code execution. This issue arises when Secure PDF eXchange (SPX) is configured alongside a firewall operating in High Availability (HA) mode.
- CVE-2024-12728 (CVSS score: 9.8): A weak credentials vulnerability stemming from the use of a suggested, non-random SSH login passphrase for initializing HA clusters. This passphrase remains active even after HA setup is complete, creating a privileged access risk if SSH is enabled.
- CVE-2024-12729 (CVSS score: 8.8): A post-authentication code injection vulnerability in the User Portal, allowing authenticated users to execute remote code.
You can verify if the hotfixes for CVE-2024-12727, CVE-2024-12728, and CVE-2024-12729 have been applied by reading this Sophos article.
Workaround
CVE-2024-12728
To mitigate the issue of the SSH passphrase (used during deployment of HA ports) remaining active, customers can ensure that:
- SSH access is restricted to only the dedicated HA link that is physically separate, and/or
- HA is reconfigured using a sufficiently long and random custom passphrase
Sophos recommends to disable WAN access via SSH by following device access best practices and instead use VPN and/or Sophos Central for remote access and management.
CVE-2024-12729
Customers can protect themselves from external attackers by ensuring their User Portal and Webadmin are not exposed to WAN.
Sophos recommends to disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central for remote access and management.
Related CVE Links
- https://www.cve.org/CVERecord?id=CVE-2024-12727
- https://www.cve.org/CVERecord?id=CVE-2024-12728
- https://www.cve.org/CVERecord?id=CVE-2024-12729

Blogger at www.systemtek.co.uk