back to article Sophos fixes critical firewall hole exploited by miscreants

A critical code-injection vulnerability in Sophos Firewall has been fixed — but not before miscreants found and exploited the bug. The flaw, tracked as CVE-2022-3236, exists in the User Portal and Webadmin components of the firewall in versions 19.0 and older. While it hasn't been issued a CVSS severity score, Sophos deemed it …

  1. Mike 137 Silver badge

    "a workaround, which included disabling WAN access to the User Portal and Webadmin"

    Good thinking Batman!

    Managing your firewall over an untrusted network to which all and sundry have access is not a brilliant idea in principle. However it seems that the webified end of everything that's web enabled is the big problem. Why is "web" code such cr*p?

  2. TonyJ

    Ditched them months ago

    For years, I ran Sophos XG at home. It seemed to be very good for the price (free) but not only was it overly complex to do simple tasks, it never ran at full WAN speeds (and lots of posts on their forums stating this).

    It capped out at 250Mb/s on 550Mb/s lines.

    Swapped it to a Mikrotik Hex routerboard and haven't looked back - full wire speed and even IPSEC up to 470Mb/s. On a box that cost (at the time) £46 and draws 7W of power.

    They aren't for beginners, for sure, but they really do just work. And their support is second-to-none.

    (I have no affiliation to either vendor).

    1. Anonymous Coward
      Anonymous Coward

      Re: Ditched them months ago

      The problem is likely that the free version will only use a single core, so as soon as you start loading up all of the bells and whistles (Snort is very bad for this) things slow down dramatically. If you're looking for a box to install the free version of XG on you want a fast single core processor, not a multi-core.

      1. TonyJ

        Re: Ditched them months ago

        "...The problem is likely that the free version will only use a single core, so as soon as you start loading up all of the bells and whistles (Snort is very bad for this) things slow down dramatically. If you're looking for a box to install the free version of XG on you want a fast single core processor, not a multi-core..."

        Indeed - I had it running on various platforms from Intel to AMD with fast cores. Same with different hypervisors (Xen, VMware and Hyper-V) and no matter what, it capped. Even different ISP's just in case.

        Out of the box with no changes. Tweaked. Nothing fixed it. No bells & whistles etc. I think it's just capped, regardless.

      2. knightperson

        Re: Ditched them months ago

        The free version of pre-XG Sophos UTM uses more than one core. I think it requires two and will support at least four if you want to give it that much resource. (Mine runs in a VM)

        I ran it until recently. I never got XG configured the way I wanted, so I eventually gave up and replaced it with PfSense.

    2. Anonymous Coward
      Anonymous Coward

      Re: Ditched them months ago

      The Microtik Hex is fast but that's mostly because it's little more than a simple SPI firewall which has been around for more than two decades, while Sophos XG is a full blown NGFW/UTM firewall which can decrypt, identify and block traffic and scan for malware. In terms of network protection, it's a world of difference, and in today's security environment a SPI firewall alone is pretty meaningless as border device to protect against malware or attacks.

      The same is true for open source firewall distros like OPNsense or (*shudder*) pfSense.

      I have been running Sophos XG Home for some time (installed on a HP T620 Extended thin client with intel 4-port NIC) and had no problems pushing through full line speed at a 500Mbps connection (without DPI, obviously; with DPI the bandwidth dropped notably to around 200-250Mbps; obviously more powerful hardware would have helped here).

      Sophos XG Home uses up to four cores and 6GB RAM, so it's not limited to single core as claimed by another poster.

      Granted, being a NGFW/UTM it comes with a steep learning curve (and the sometimes illogical UI doesn't help) and it's easy to impair performance by making the wrong setting. But at the end of the day, Sophos XG is an enterprise product, so the complexity should not come at a surprise.

  3. pc-fluesterer.info
    FAIL

    Best practice?

    Since when is making your admin interface publicly accessible considered "best practice"?

    1. TonyJ

      Re: Best practice?

      To be fair it isn't by default (caveat - it wasn't!)

      However from memory the User Interface was, and that is equally affected.

  4. ElRegioLPL

    Games, normal software, etc. You can excuse the bugs to an extent. But software designed to keep these people out and it's just let off with a CVE (or not in this case) and a bug fix.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like