Sophos has resolved a severe vulnerability in the software running on its all-in-one Universal Threat Management (UTM) appliances.
A post-authentication SQL injection vulnerability in the Mail Manager component of the appliance created a means for attackers to run hostile code on a Sophos UTM appliance.
The vulnerability (CVE-2022-0386), discovered by Sophos during internal security testing, can be resolved by updating to version 9.710 of the software, released earlier this month.
In a security update, Sophos states that “users of older versions of Sophos UTM are required to upgrade to receive this fix”.
The same update also removes an obsolete SSL VPN client, as well as addressing a lesser and unrelated security vulnerability – tracked as CVE-2022-0652 – that resulted in password hashes being written into system log files.
Although not directly exploitable, these password hashes were left in locations where they might potentially be harvested and abused in offline brute-force attacks.
UTM devices bundle a variety of security functions into a single appliance that typically includes a network firewall, intrusion prevention, gateway antivirus, web proxy technology, and other security functions.
Such devices are touted for ease of management, but they do bring with them the disadvantage of creating a single point of failure.
Source: https://portswigger.net/daily-swig/sophos-fixes-sql-injection-vulnerability-in-utm-appliance