back to article Thousands of Sophos firewalls still vulnerable out there to hijacking

More than 4,000 public-facing Sophos firewalls remain vulnerable to a critical remote code execution bug disclosed last year and patched months later, according to security researchers. The flaw, CVE-2022-3236, had already been exploited as a zero-day when Sophos published a security advisory about the vulnerability in …

  1. Paul S. Gazo

    Since this is making the rounds as if it's meaningful, I'll just repeat myself from somewhere else.

    he devil's in the details.

    XG 19.0.1 has a hotfix, which is applied automatically unless you deliberately disable that.

    XG 19.0.0 has a hotfix, which is applied automatically unless you deliberately disable that.

    The last five releases of 18.5 have a hotfix, which is applied automatically unless you deliberately disable that.

    The last four releases of 18.0 have a hotfix, which is applied automatically unless you deliberately disable that.

    The last six releases of 17.5 have a hotfix, which is applied automatically unless you deliberately disable that.

    The last release of 17.0 has a hotfix, which is applied automatically unless you deliberately disable that.

    17.5 has been EOL since November 2021, just to give an idea how available patches are.

    But here's the kicker... the official, in-the-OS non-hotfix release? Was released in December and Sophos soft-releases firmware in stages. Only a small percentage of firewalls will see the 19.5 firmware as available right now. Most of the ones I manage haven't seen it. Yes, you can go out of your way to download the code form a portal and manually install it, but for most firewalls when you log on it doesn't tell you there's an update, and if you query for updates it - again - says there aren't any.

    So to say 99% of eligible firewalls aren't running the fixed code is... deeply misleading. Almost all of them have hotfixed. And the non-hotfix patch requires hoops to be jumped through.

    Yes, a proper admin should be aware that firmwares are available, but it's rarely good to be on the bleeding edge, and when you've got a hotfix... why rush to expose your customer to potential initial-release bugs?

    This study and what it implies about Sophos or people who admin them are deeply pointless and misleading.

  2. Dan 55 Silver badge

    "bought by American private equity... in a March 2020 deal... at $3.9 billion"

    Well, stick a fork in them, they're done, it's not a case of if but when.

    I'm somewhat disappointed not to see exhortations for the remaining staff to raise the bar, seize the day, perform exceptionally, and so on and so forth.

    1. Fred Daggy Silver badge
      Mushroom

      Re: "bought by American private equity... in a March 2020 deal... at $3.9 billion"

      Yes, because I go to bed at night dreaming of ways to "increase Shareholder value" as we have been exhorted. Despite cuts all round, no replacement staff to fill the tasks that still need to be done and absolutely no increase in salary to compensate for the increate in stress.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like