Sophos XG Firewall - Authentication Bypass (CVE-2022-1040)

Sophos XG Firewall is affected by an Authentication Bypass vulnerability, located in the /userportal/Controller endpoint. The root cause of this vulnerability is the improper handling of duplicate json keys by the Sophos Channel Service Center (CSC). CSC uses the json-c library to parse input data which overwrites the old value if a key is duplicated. An attacker can exploit this vulnerability to bypass the authentication via malicious input sent to the CSC and thus gaining access to the device's WebConsole which leads to RCE.

The risk exists that a remote unauthenticated attacker can fully compromise the XG Firewall device in order to steal confidential information, install ransomware or pivot to the internal network.

In case the Allow automatic installation of hotfixes feature is disabled on the vulnerable device, applying the latest Sophos hotfix or applying one of the workarounds listed in the advisory should fix the vulnerability.

https://www.sophos.com/en-us/security-advisories/sophos-sa-20220325-sfos-rce

https://nvd.nist.gov/vuln/detail/CVE-2022-1040

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1040