CVE-2022-3710 is a post-authentication read-only SQL injection vulnerability affecting Sophos Firewall products in versions prior to 19.5 GA. The vulnerability resides in the API controller component of the firewall, which processes API client requests. Specifically, it allows an authenticated API client to perform SQL injection attacks that can read non-sensitive configuration data from the firewall's backend database. The vulnerability is classified under CWE-89, indicating improper neutralization of special elements used in an SQL command. Although the injection is read-only and does not permit modification or deletion of data, it exposes internal configuration details that could aid an attacker in further reconnaissance or targeted attacks. The vulnerability requires prior authentication, meaning an attacker must have valid API credentials or access to an authenticated session to exploit it. There are no known public exploits in the wild, and no official patches or updates have been linked in the provided information. The affected versions are not precisely specified but are all versions older than 19.5 GA. The vulnerability was reserved in late October 2022 and publicly disclosed in December 2022. The impact is limited to information disclosure of non-sensitive configuration data, which reduces the severity compared to vulnerabilities allowing full database access or command execution. However, given the critical role of Sophos Firewall in network security, any leakage of configuration information could facilitate lateral movement or targeted attacks within a network.

For European organizations, the impact of CVE-2022-3710 primarily involves potential exposure of internal firewall configuration data, which could include network topology, firewall rules, VPN configurations, and other metadata. While the data is described as non-sensitive, such information can still be leveraged by attackers to map network defenses, identify potential weaknesses, or craft more effective attacks. Organizations relying on Sophos Firewall for perimeter defense, especially those in critical infrastructure sectors such as finance, healthcare, energy, and government, could face increased risk of targeted intrusions if attackers gain authenticated access to the API. The requirement for authentication limits the risk to insiders, compromised credentials, or attackers who have already breached perimeter defenses. However, in environments where API credentials are shared or insufficiently protected, the risk is elevated. Additionally, the exposure of configuration data could aid attackers in evading detection or disabling security controls. Given the widespread use of Sophos Firewall in European enterprises and public sector organizations, this vulnerability could have a moderate impact on confidentiality and indirectly affect integrity and availability through enabling subsequent attacks.

To mitigate CVE-2022-3710, European organizations should: 1) Immediately upgrade Sophos Firewall installations to version 19.5 GA or later, where this vulnerability is addressed. If upgrading is not immediately possible, restrict API access to trusted networks and users only, using network segmentation and firewall rules. 2) Enforce strong authentication mechanisms for API access, including multi-factor authentication and strict credential management policies to prevent unauthorized access. 3) Audit and monitor API usage logs for unusual or unauthorized access patterns that could indicate exploitation attempts. 4) Limit API client privileges to the minimum necessary, avoiding broad or administrative access where possible. 5) Conduct internal security assessments to identify any exposed API endpoints and ensure they are protected by appropriate access controls. 6) Implement network-level protections such as IP whitelisting for API clients and use VPNs or secure tunnels for remote API access. 7) Educate administrators and security teams about this vulnerability and the importance of securing API credentials and access. These steps go beyond generic patching advice by emphasizing access control, monitoring, and credential hygiene specific to the API attack vector.