Vulnerabilities reported in Sophos Web Appliance
As a security company, keeping our customers safe is our primary responsibility. Improving protection is of course key, as is ensuring the security of our products. We achieve this through rigorous and regular testing as well as welcoming findings from independent security advisers.
On 12 August 2013, Sophos was contacted by Core Security Technologies to inform us of a pair of vulnerabilities they had discovered in the Sophos Web Appliance. The two vulnerabilities can be exploited in combination to perform a remote privilege escalation attack allowing an arbitrary command to be run as root.
On 13 August 2013 we received a report showing that a known medium-severity Apache web server vulnerability (CVE-2012-0053) was still active on the Web Appliance in certain situations.
The issues reported were resolved with the 3.7.9.1 and 3.8.1.1 releases of the Sophos Web Appliance software in September 2013.
Sophos greatly appreciates the work of security researchers Core Security Technologies. We acknowledge the contribution they make to the security of our products, our customers, and the technology community as a whole.
Am I protected?
Your appliance should be updated within a few days after the fixed version is made available. The Sophos Web Appliance is currently going through an extended upgrade cycle. Customers with version 3.7.9 of the appliance software are being upgraded to version 3.8.1 gradually between late July and late September. Version 3.8.x uses a new URL categorization system, Live Protection, and due to the potential for disruption we chose to roll out the upgrade gradually.
The impact of this is that in order to properly protect our customers we have issued two updates – one to the 3.7.x version and one to the 3.8.x version. This will allow us to continue with the gradual rollout of Live Protection. Customers should not need to take any action for this process to take place.
Customers who have disabled automatic updating, or who wish to apply the update sooner, should go to the Configuration – System – Updates page on their Web Appliance UI. The update will be listed as an available version and there will be an option to update. Alternatively, you can temporarily enable automatic updating and the Appliance will apply the update in the next available window.
The software version your Sophos Web Appliance is currently running is displayed in the top right of the dashboard page. To ensure your appliance is updated to the latest software version, navigate to the Configuration > System > Updates page. On this page, the Software engine section lists the current software version and available software updates, where you can manually initiate a pending software update any time prior to the scheduled automatic software update.
Details of vulnerabilities
Unauthenticated command execution - CVE-2013-4983
|
| Description: | An unauthenticated remote attacker could execute arbitrary OS commands on the Sophos appliance |
| Affected product(s): | Sophos Web Appliance version 3.7.9 and earlier, 3.8.1 and 3.8.0
|
| Fixed in: | Sophos Web Appliance version 3.7.9.1 and 3.8.1.1 |
| First reported to us: | 12 August 2013 |
| Exploit seen in the wild? | No |
| Cross Site Scripting (XSS) - CVE-2013-4984 |
| Description: | Possible exposure of cookie information that could have enabled cross-site scripting attacks |
| Affected product(s): | Sophos Web Appliance version 3.7.9 and earlier, 3.8.1 and 3.8.0
|
| Fixed in: | Sophos Web Appliance version 3.7.9.1 and 3.8.1.1
|
| First reported to us: | 12 August 2013 |
| Exploit seen in the wild? | No |
