Vulnerabilities reported in Sophos Web Appliance
As a security company, keeping our customers safe is our primary responsibility. Improving protection is of course key, as is ensuring the security of our products. We achieve this through rigorous and regular testing as well as welcoming findings from independent security advisers.
On 21 February 2013, Sophos was contacted by Stefan Viehböck of SEC Consult Vulnerability Lab. His report outlined vulnerabilities discovered by Wolfgang Ettlinger in the web-based user interface (UI) of the Sophos Web Appliance.
The issues reported were resolved with the 3.7.8.2 release of the Sophos Web Appliance software in March 2013. This went to an initial group of customers on March 18, to a larger group on March 25 and will be made available to all remaining customers on April 1.
Sophos greatly appreciates the work of security researchers like Wolfgang Ettlinger and Stefan Vieböck. We acknowledge the contribution they make to the security of our products, our customers, and the technology community as a whole.
Am I protected?
Your appliance should be updated within a few days after the fixed version is made available. All versions numbered after 3.7.8.2 will contain the fixes.
The software version your Sophos Web Appliance is currently running is displayed in the top right of the dashboard page. To ensure your appliance is updated to the latest software version, navigate to the Configuration > System > Updates page. On this page, the Software engine section lists the current software version and available software updates, where you can manually initiate a pending software update any time prior to the scheduled automatic software update.
Details of vulnerabilities
| Local File Disclosure |
| Vulnerability ID | CVE-2013-2641 |
| Description: | Unauthenticated users could download arbitrary files from the Sophos Web Appliance with the rights of a privileged operating system user. This user has access to clear text passwords and valid PHP session IDs.
|
| Affected product(s): | Sophos Web Appliance version 3.7.8.1 and earlier
|
| Fixed in: | Sophos Web Appliance version 3.7.8.2 |
| First reported to us: | 21 February 2013 |
| Exploit seen in the wild? | No |
| OS Command Injection |
| Vulnerability ID | CVE-2013-2642 |
| Description: | OS Command Injections were discovered that allow an administrative user to execute commands as a privileged user. Under certain preconditions unauthenticated users can do that as well.
|
| Affected product(s): | Sophos Web Appliance version 3.7.8.1 and earlier
|
| Fixed in: | Sophos Web Appliance version 3.7.8.2 |
| First reported to us: | 21 February 2013
|
| Exploit seen in the wild? | No |
| Cross Site Scripting (XSS) |
| Vulnerability ID | CVE-2013-2643 |
| Description: | Reflected Cross Site Scripting vulnerabilities were found. An attacker could have used these vulnerabilities to conduct phishing attacks.
|
| Affected product(s): | Sophos Web Appliance version 3.7.8.1 and earlier
|
| Fixed in: | Sophos Web Appliance version 3.7.8.2
|
| First reported to us: | 21 February 2013 |
| Exploit seen in the wild? | No |