CVE-2022-1040
published 2022-03-25CVE-2022-1040: An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-04-21
Exploited in the wild
EPSS
99.80%
100.0th percentile
An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sophos | sfos | <= 18.5.3 | — |
| sophos | sophos_firewall | unspecified – 18.5 MR3 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
XOR key: B2 A6 6D FF
- →Flag presence of libsophos.so being loaded via LD_PRELOAD on Sophos XG firewall devices — Pygmy Goat leverages this library for rootkit persistence. ↗
- →Detect GoMet persistence technique: the malware replaces existing goodware autorun executables rather than creating new autorun registry entries, and creates fake Windows Update scheduled tasks. ↗
- →Alert on Sophos CVE-2022-1040 exploitation scanning activity — GreyNoise observed 357,762 sessions (+71.2%) in a single week with three consecutive weeks of escalation, indicating active mass exploitation. ↗
- →Detect BEHINDER webshell framework usage on Sophos Firewall: look for large base64-encoded POST bodies to login.jsp and other portal URLs, consistent with BEHINDER's communication pattern. ↗
- ·The malicious SessionCheckFilter.class webshell was timestomped by the attacker to match the modification timestamps of legitimate files in the same directory — file timestamp-based detection will not reliably identify this backdoor. ↗
- ·The binary dropped via pre_install.sh was absent from the C2 server at time of analysis and not present in memory or on disk — defenders may not be able to recover the payload for analysis in all cases. ↗
- ·At least 3 distinct Chinese state-sponsored threat groups had access to the CVE-2022-1040 exploit prior to public disclosure, indicating a shared exploit pipeline — attribution based on TTPs alone may be insufficient to distinguish between groups. ↗
- ·The GoMet C2 certificate (SHA-1: 9b5e112e683a3605c9481d8f565cfb3b7e2feab7) is self-signed and was issued April 4, 2021 — TLS certificate validation will not flag this as untrusted in all environments without explicit pinning or inspection. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9gcv-6rm7-vw3w: An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18
ghsa_unreviewed·2022-03-26
CVE-2022-1040 [CRITICAL] CWE-287 GHSA-9gcv-6rm7-vw3w: An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18
An authentication bypass vulnerability in the User Portal and Webadmin allows a remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older.
VulnCheck
Sophos Firewall Authentication Bypass Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-1040 [CRITICAL] CWE-158 Sophos Firewall Authentication Bypass Vulnerability
Sophos Firewall Authentication Bypass Vulnerability
An authentication bypass vulnerability in User Portal and Webadmin of Sophos Firewall allows for remote code execution.
Affected: Sophos Firewall
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.bleepingcomputer.com/news/security/hackers-tried-to-use-sophos-firewall-zero-day-to-deploy-ransomware/; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2022-1040; https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/; ht
CISA
Sophos Firewall Authentication Bypass Vulnerability
cisa·2022-03-31·CVSS 9.8
CVE-2022-1040 [CRITICAL] CWE-158 Sophos Firewall Authentication Bypass Vulnerability
Vulnerability: Sophos Firewall Authentication Bypass Vulnerability
Affected: Sophos Firewall
An authentication bypass vulnerability in User Portal and Webadmin of Sophos Firewall allows for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2022-1040
Remediation Due Date: 2022-04-21
CISA
Microsoft Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
cisa·2021-11-03·CVSS 9.0
CVE-2020-1040 [CRITICAL] CWE-20 Microsoft Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
Vulnerability: Microsoft Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
Affected: Microsoft Hyper-V RemoteFX
Microsoft Hyper-V RemoteFX vGPU contains an improper input validation vulnerability due to the host server failing to properly validate input from an authenticated user on a guest operating system. Successful exploitation allows for remote code execution on the host operating system.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-1040
Remediation Due Date: 2022-05-03
Suricata
ET EXPLOIT Sophos Firewall Authentication Bypass (CVE-2022-1040)
suricata·2022-05-09·CVSS 9.8
CVE-2022-1040 [CRITICAL] ET EXPLOIT Sophos Firewall Authentication Bypass (CVE-2022-1040)
ET EXPLOIT Sophos Firewall Authentication Bypass (CVE-2022-1040)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Sophos Firewall Authentication Bypass (CVE-2022-1040)"; flow:established,to_server; flowbits:set,ET.SophosAuthBypass; http.method; content:"POST"; http.uri; content:"/userportal/Controller?"; fast_pattern; startswith; content:"mode="; content:"operation="; content:"datagrid="; content:"json="; http.header; header_lowercase; content:"x-requested-with|3a 20|XMLHttpRequest"; http.header_names; to_lowercase; content:!"|0d 0a|referer|0d 0a|"; reference:cve,2022-1040; reference:url,attackerkb.com/topics/cdXl2NL3cR/cve-2022-1040; classtype:attempted-admin; sid:2036548; rev:4; metadata:created_at 2022_05_09, cve CVE_2022_1040, deployment Perimeter, deployment Internal, deplo
Suricata
ET EXPLOIT Sophos Firewall Authentication Bypass (CVE-2022-1040) Server Response M2
suricata·2022-05-09·CVSS 9.8
CVE-2022-1040 [CRITICAL] ET EXPLOIT Sophos Firewall Authentication Bypass (CVE-2022-1040) Server Response M2
ET EXPLOIT Sophos Firewall Authentication Bypass (CVE-2022-1040) Server Response M2
Rule: alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Sophos Firewall Authentication Bypass (CVE-2022-1040) Server Response M2"; flow:established,to_client; flowbits:isset,ET.SophosAuthBypass; file.data; content:"{|22|status|22 3a 22|-2|22|}"; fast_pattern; reference:cve,2022-1040; reference:url,attackerkb.com/topics/cdXl2NL3cR/cve-2022-1040; classtype:attempted-admin; sid:2036550; rev:3; metadata:created_at 2022_05_09, cve CVE_2022_1040, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_
Suricata
ET EXPLOIT Sophos Firewall Authentication Bypass (CVE-2022-1040) Server Response M1
suricata·2022-05-09·CVSS 9.8
CVE-2022-1040 [CRITICAL] ET EXPLOIT Sophos Firewall Authentication Bypass (CVE-2022-1040) Server Response M1
ET EXPLOIT Sophos Firewall Authentication Bypass (CVE-2022-1040) Server Response M1
Rule: alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Sophos Firewall Authentication Bypass (CVE-2022-1040) Server Response M1"; flow:established,to_client; flowbits:isset,ET.SophosAuthBypass; file.data; content:"{|22|status|22 3a 22|Session Expired|22|}"; fast_pattern; reference:cve,2022-1040; reference:url,attackerkb.com/topics/cdXl2NL3cR/cve-2022-1040; classtype:attempted-admin; sid:2036549; rev:3; metadata:created_at 2022_05_09, cve CVE_2022_1040, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mit
Exploit-DB
Sophos XG115w Firewall 17.0.10 MR-10 - Authentication Bypass
exploitdb·2022-09-02·CVSS 9.8
CVE-2022-1040 [CRITICAL] Sophos XG115w Firewall 17.0.10 MR-10 - Authentication Bypass
Sophos XG115w Firewall 17.0.10 MR-10 - Authentication Bypass
---
# Exploit Title: Sophos XG115w Firewall 17.0.10 MR-10 - Authentication Bypass
# Date: 2022-08-04
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: https://www.sophos.com
# Version: 17.0.10 MR-10
# Tested on: Windows 11
# CVE : CVE-2022-1040
# [ VULNERABILITY DETAILS ] :
#This vulnerability allows an attacker to gain unauthorized access to the firewall management space by bypassing authentication.
# [ SAMPLE REQUEST ] :
POST /webconsole/Controller HTTP/1.1
Host: 127.0.0.1:4444
Cookie: JSESSIONID=c893loesu9tnlvkq53hy1jiq103
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Reques
Nuclei
Sophos Firewall <=18.5 MR3 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2022-1040 [CRITICAL] Sophos Firewall <=18.5 MR3 - Remote Code Execution
Sophos Firewall =18.5 MR4) to mitigate this vulnerability.
reference:
- https://github.com/killvxk/CVE-2022-1040
- https://github.com/CronUp/Vulnerabilidades/blob/main/CVE-2022-1040_checker
- https://nvd.nist.gov/vuln/detail/CVE-2022-1040
- https://www.sophos.com/en-us/security-advisories/sophos-sa-20220325-sfos-rce
- https://github.com/Mr-xn/Penetration_Testing_POC
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-1040
cwe-id: CWE-287
epss-score: 0.94439
epss-percentile: 0.99989
cpe: cpe:2.3:o:sophos:sfos:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: sophos
product: sfos
shodan-query:
- http.title:"Sophos"
- http.title:"sophos"
fofa-query: title="sophos"
google-query: intitle:"sophos"
tags: cve,cve2022,sophos,fire
Unit42
The Evolution of Linux Binaries in Targeted Cloud Operations
blogs_unit42·2025-06-10
The Evolution of Linux Binaries in Targeted Cloud Operations
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## The Evolution of Linux Binaries in Targeted Cloud Operations
Nathaniel Quist
Bill Batchelor
Published: June 10, 2025
Cloud Cybersecurity Research
Malware
Threat Research
Endpoint
Linux Malware
Machine Learning
PowerShell
Remote Access Trojan
VBScript
Winnti
## Executive Summary
Unit 42 researchers have identified a growing threat to cloud security: Linux Executable and Linkage Format (ELF) files that threat actors are developing to target cloud infrastructure. We predict that threat actors targeting cloud environments will start using more complex tools in their exploits. This will include reworking, improving and tailoring existing tools that historically only targeted Linux operating systems (OS)
Unit42
The Evolution of Linux Binaries in Targeted Cloud Operations
blogs_unit42·2025-06-10
The Evolution of Linux Binaries in Targeted Cloud Operations
## Executive Summary
Unit 42 researchers have identified a growing threat to cloud security: Linux Executable and Linkage Format (ELF) files that threat actors are developing to target cloud infrastructure. We predict that threat actors targeting cloud environments will start using more complex tools in their exploits. This will include reworking, improving and tailoring existing tools that historically only targeted Linux operating systems (OS). The ELF malware samples threat actors use will include backdoors, droppers, remote access Trojans (RATs), data wipers and vulnerability-exploiting binaries.
During our investigation, we focused on five ELF-based malware families, each of which threat actor groups have used to target cloud environments during their operations. This involvement in
Bleepingcomputer
Custom "Pygmy Goat" malware used in Sophos Firewall hack on govt network
blogs_bleepingcomputer·2024-11-04·CVSS 9.8
[CRITICAL] Custom "Pygmy Goat" malware used in Sophos Firewall hack on govt network
## Custom "Pygmy Goat" malware used in Sophos Firewall hack on govt network
## Bill Toulas
UK's National Cyber Security Centre (NCSC) has published an analysis of a Linux malware named "Pigmy Goat" created to backdoor Sophos XG firewall devices as part of recently disclosed attacks by Chinese threat actors.
Last week, Sophos published a series of reports dubbed " Pacific Rim " that detailed five-year attacks by Chinese threat actors on edge networking devices.
One of the custom malware used in these attacks is a rootkit that closely impersonated Sophos product file naming conventions.
The malware, which is designed for compromising network devices, features advanced persistence, evasion, and remote access mechanisms and has a rather complex code structure and execution paths.
Althoug
Talos
Attackers target Ukraine using GoMet backdoor
blogs_talos·2022-07-21·CVSS 9.8
[CRITICAL] Attackers target Ukraine using GoMet backdoor
## Attackers target Ukraine using GoMet backdoor
## Executive summary
Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage of cyber attacks . Working jointly with Ukrainian organizations, Cisco Talos has discovered a fairly uncommon piece of malware targeting Ukraine — this time aimed at a large software development company whose software is used in various state organizations within Ukraine. We believe that this campaign is likely sourced by Russian state-sponsored actors or those acting in their interests. As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack, though at this time we do not have any evidence that t
Talos
Attackers target Ukraine using GoMet backdoor
blogs_talos·2022-07-21·CVSS 9.8
[CRITICAL] Attackers target Ukraine using GoMet backdoor
## Executive summary
Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage of cyber attacks. Working jointly with Ukrainian organizations, Cisco Talos has discovered a fairly uncommon piece of malware targeting Ukraine — this time aimed at a large software development company whose software is used in various state organizations within Ukraine. We believe that this campaign is likely sourced by Russian state-sponsored actors or those acting in their interests. As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack, though at this time we do not have any evidence that they were successful. Cisco Talos confirmed that the
Volexity
DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach
blogs_volexity·2022-06-15
DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach
Threat Intelligence
# DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach
June 15, 2022
Steven Adair, Tom Lancaster, and Volexity Threat Research
Volexity frequently works with individuals and organizations heavily targeted by sophisticated, motivated, and well-equipped threat actors from around the world. Some of these individuals or organizations are attacked infrequently or on an irregular basis, while others see a barrage of attacks nearly every week. Regardless of the attack frequency, Volexity keeps its guard up, looking for new and old threats however they manifest themselves.
Earlier this year, Volexity detected a sophisticated attack against a customer that is heavily targeted by multiple Chinese advanced persistent threat (APT) groups. This particula
Volexity
DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach
blogs_volexity·2022-06-15
DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach
Threat Intelligence
## DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach
June 15, 2022
Steven Adair, Tom Lancaster, and Volexity Threat Research
Volexity frequently works with individuals and organizations heavily targeted by sophisticated, motivated, and well-equipped threat actors from around the world. Some of these individuals or organizations are attacked infrequently or on an irregular basis, while others see a barrage of attacks nearly every week. Regardless of the attack frequency, Volexity keeps its guard up, looking for new and old threats however they manifest themselves.
Earlier this year, Volexity detected a sophisticated attack against a customer that is heavily targeted by multiple Chinese advanced persistent threat (APT) groups. This particul
Checkpoint
28th March – Threat Intelligence Report
blogs_checkpoint·2022-03-28
CVE-2022-24934 28th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 28th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 28th March, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Large companies including Microsoft, Okta, NVIDIA, Samsung & Ubisoft have been breached by the Lapsus$ hacking group. This cyber gang is best known for publishing sensitive information stolen from major technology companies and governments. How the gang managed to breach these targets is not yet clear to the public. In recent
Greynoiseio
At The Edge Clear: March 2
blogs_greynoiseio
At The Edge Clear: March 2
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
At The Edge Clear: Feb 23
blogs_greynoiseio
At The Edge Clear: Feb 23
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets
blogs_recorded_future·CVSS 9.8
[CRITICAL] Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets
# Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets
Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.
This report details multiple campaigns conducted by the likely Chinese state-sponsored threat activity group TA413. The activity was identified through a combination of large-scale automated network traffic analytics and expert analysis. This report will be of most interest to individuals and organizations with strategic and operational intelligence requirements relating to Chinese cyber threat activity, as well as humanitarian and other organizations concerned with Tibetan interests. With thanks to our colleagues at Sophos for early sharing and collaboration.
Greynoiseio
At The Edge Clear: March 16-23, 2026
blogs_greynoiseio
At The Edge Clear: March 16-23, 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
At The Edge Clear: March 9-16, 2026
blogs_greynoiseio
At The Edge Clear: March 9-16, 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets | Recorded Future
blogs_recorded_future·CVSS 9.8
[CRITICAL] Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets | Recorded Future
## Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets
This report details multiple campaigns conducted by the likely Chinese state-sponsored threat activity group TA413. The activity was identified through a combination of large-scale automated network traffic analytics and expert analysis. This report will be of most interest to individuals and organizations with strategic and operational intelligence requirements relating to Chinese cyber threat activity, as well as humanitarian and other organizations concerned with Tibetan interests. With thanks to our colleagues at Sophos for early sharing and collaboration.
## Executive Summary
Recorded Future's analysts continue to observe targeting of ethnic and religious minority communities by Chinese sta
Bugzilla
CVE-2022-23824 hw: cpu: AMD: IBPB and Return Address Predictor Interactions
bugzilla·2022-08-17·CVSS 5.6
CVE-2022-23824 [MEDIUM] CVE-2022-23824 hw: cpu: AMD: IBPB and Return Address Predictor Interactions
CVE-2022-23824 hw: cpu: AMD: IBPB and Return Address Predictor Interactions
IBPB may not prevent return branch predictions from being specified by pre-IBPB branch targets leading to a potential information disclosure.
This issue (CVE-2022-23824 or AMD-SN-1040) related to CVE-2017-5715 previously known as Spectre Variant 2. As part of our efforts to continue improving security features, AMD has investigated issues related to CVE-2017-5715 in the recent months. Previously notified of one of the potential issues related to CVE-2017-5715 (in AMD-SN-1036). In some situations, IBPB may fail to prevent return branch predictions from being specified by pre-IBPB branch targets leading to potential information disclosure.
Reference:
https://www.amd.com/en/corporate/product-security/bulletin/amd-s
http://packetstormsecurity.com/files/168046/Sophos-XG115w-Firewall-17.0.10-MR-10-Authentication-Bypass.htmlhttps://www.exploit-db.com/exploits/51006https://www.sophos.com/en-us/security-advisories/sophos-sa-20220325-sfos-rcehttp://packetstormsecurity.com/files/168046/Sophos-XG115w-Firewall-17.0.10-MR-10-Authentication-Bypass.htmlhttps://www.exploit-db.com/exploits/51006https://www.sophos.com/en-us/security-advisories/sophos-sa-20220325-sfos-rcehttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-1040
2022-03-25
Published
2022-03-31
Added to CISA KEV
Exploited in the wild