Sophos has fixed an authentication bypass vulnerability, tracked as CVE-2022-1040, that resides in the User Portal and Webadmin areas of Sophos Firewall. The CVE-2022-1040 flaw received a CVSS score of 9.8 and impacts Sophos Firewall versions 18.5 MR3 (18.5.3) and earlier. “An authentication bypass vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall and responsibly disclosed to Sophos. It was reported via the Sophos bug bounty program by an external security researcher. The vulnerability has been fixed.” reads the advisory published by the company. A remote attacker with access to the Firewall’s User Portal or Webadmin interface can exploit the flaw to bypass authentication and execute arbitrary code. The security vendor pointed out that the hotfixes will be automatically installed on its devices by default. The company also recommends customers avoid exposing their User Portal and Webadmin externally.
While this vulnerability will be automatically patched by default, another important best practice is to never expose user or administrative portals for critical solutions, such as firewalls or VPN, to the open Internet. Even when there is not a critical remote execution vulnerability present, such portals could be brute forced by threat actors.