Vulnerabilities in cybersecurity. In this edition of the Anida Latam Cybersecurity Newsletter, we continue to share with you the main vulnerabilities affecting the technological environments of private and public sector organizations in recent times.
Critical code injection vulnerability in Sophos Firewall
Sophos warns of a critical code injection security vulnerability, tracked as CVE-2022-3236, affecting its Firewall product that is currently being exploited.
The flaw CVE-2022-3236 resides in the Sophos Firewall user portal and webadmin. Its exploitation can lead to code execution (RCE).
The company addressed the issue with Firewall v19.0 MR1 (19.0.1) and earlier versions, also provided a solution by recommending customers not expose the user portal and webadmin to WAN and disable WAN access to both. The company recommends using VPN and/or Sophos Central (preferred) for remote access and management.
Customers using older versions of Firewall will need to upgrade to a supported version.
Microsoft updates mitigation for MS Exchange Zero-Day
This vulnerability identified almost a month ago has raised alarms around the world due to the great impact caused by the widespread implementation of MS Exchange as mail server in many organizations and institutions, where many of them handle highly confidential information such as recent attacks by hacktivist groups in LATAM.
The ease of exploitation and the great similarity to the Zero-Day vulnerabilities known during 2021 catalogued under the name of ProxyShell, which have been used by malicious actors and APTs as the main attack vector to access corporate networks, have also been of relevance.
Recently a series of mitigations had been released by the research group that detected the exploitation of the vulnerability, however, from the community it was detected that the method was not 100% effective since it is easy to generate a bypass to this protection. This is why Microsoft has provided a series of options that would allow to mitigate this vulnerability in a better way before the corresponding patch.
It is important to emphasize that for the execution of this attack you must have authenticated access to the server, regardless of the privilege level of the account.
Mitigating measures can be extracted from the official Microsoft source and apply to users with MS Exchange On Premise, as users who have Exchange Online do not need to take any action.
It is recommended to first apply WorkAround as soon as possible, while waiting for official updates from the vendor.
In addition, install the manufacturer's updates available in the vendor's official media, after analyzing the impact it could have on your organization's business-critical services. To do so, consult with your technical staff or corresponding resolution areas.
Critical Vulnerability Affects FortiOS and FortiProxy
Recently, the manufacturer Fortinet announced a security breach classified with critical severity, where administrators are warned to update Fortigate Firewall and FortiProxy web proxy servers to the latest versions.
The security flaw is identified as CVE-2022-40684, and involves an authentication omission in the administrative interface that could allow remote cybercriminals to log in to unpatched devices.
A bypass of authentication using an alternate path or channel in FortiOS and FortiProxy could allow malicious actors to allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP and HTTPS requests.
It is strongly recommended that the upgrade be performed immediately due to the ability to exploit this issue remotely.
To fix the security breach you should upgrade to the following versions:
- FortiOS: 7.0.7 or 126.96.36.199
- FortiProxy: 7.0.7 or 7.2.1
We are nearing the arrival of March, a month that in terms of cybersecurity generated a lot of noise last year when for the first time