CVE-2022-1040

Name of the Vulnerable Software and Affected Versions Sophos Firewall versions prior to v18.5 MR3 (18.5.3) Sophos XG Firewall version 17.0.10 MR-10

Description An authentication bypass issue exists in the User Portal and Webadmin components of Sophos Firewall, potentially allowing a remote attacker to execute code. The vulnerability allows bypassing authentication, granting unauthorized access to the firewall management interface. Reports indicate a significant surge in exploitation attempts, with a 435% increase observed recently. The vulnerability has been exploited in attacks involving the Pigmy Goat malware, a Linux rootkit used by Chinese threat actors. This malware leverages the vulnerability (CVE-2022-1040) to gain backdoor access to Sophos XG firewalls. The malware utilizes techniques like LD PRELOAD hijacking to intercept and manipulate SSH connections, establishing a command and control channel. The accept function within the SSH daemon is targeted for code execution. The vulnerability has also been linked to other threat actors and malware families, including NoodleRAT, AcidRain, and AcidPour. The exploitation involves sending a crafted POST request to the /userportal/Controller API Endpoint with a specific json parameter ({"x":"test"}). The vulnerability affects systems running Linux.

Recommendations Sophos Firewall versions prior to v18.5 MR3 (18.5.3) should be updated to a newer, secure version. Sophos XG Firewall version 17.0.10 MR-10 should be updated to a newer, secure version. As a temporary workaround, consider disabling the User Portal and Webadmin interfaces if they are not essential. Restrict access to the /userportal/Controller API Endpoint to minimize the risk of exploitation. Monitor network traffic for suspicious activity related to SSH connections and ICMP packets.