This week, Sophos announced security updates that address several vulnerabilities in its Sophos Web Appliance. The most serious of these is a critical bug that could lead to code execution.
Sophos Web Appliance is a web security solution that enables administrators to create, enforce and manage web access policies from a single interface. According to Sophos, the critical bug, tracked as CVE-2023-1671 (CVSS score of 9.8), is a pre-auth command injection vulnerability in the warning page handler of the appliance, allowing for the execution of arbitrary code without authentication.
To resolve this and two other bugs, Sophos released Sophos Web Appliance 4.3.10.4. The first of these is a high-severity code execution vulnerability in the exception wizard, tracked as CVE-2022-4934 (CVSS score of 7.2). The second is a medium-severity cross-site scripting (XSS) flaw in the report scheduler, tracked as CVE-2020-36692.
Patches for all vulnerabilities are delivered to Sophos Web Appliance users via automatic updates. Additionally, Sophos recommends placing the appliance behind a firewall and blocking internet access to it. Finally, Sophos recommends that Web Appliance customers migrate to Sophos Firewall before it reaches end-of-life (EoL) status on July 20, 2023.
In summary, Sophos this week released security updates that resolve several vulnerabilities in Sophos Web Appliance. These updates address a critical bug leading to code execution, a high-severity code execution issue and a medium-severity XSS flaw. To protect against these vulnerabilities, users should install the latest patches, place the appliance behind a firewall and block internet access to it, and consider migrating to Sophos Firewall before it reaches EoL status.