Sophos Patches Security Flaws in Web Appliance


Sophos recently announced that several vulnerabilities in the Sophos Web Protection Appliance were reported to the company by Stefan Viehbock of SEC Consult Vulnerability Lab on February 21, 2013 (h/t The H Security).

The security flaws, Sophos says, were patched with the release of version of the Sophos Web Appliance software in March 2013.

According to an SEC Consult advisory, "An attacker can get unauthorized access to the appliance and plant backdoors or access configuration files containing credentials for other systems (eg. Active Directory/FTP login) which can be used in further attacks. Since all web traffic passes through the appliance, interception of HTTP as well as the plaintext form of HTTPS traffic (if HTTPS Scanning feature in use), including sensitive information like passwords and session Cookies is possible."

Sophos says none of the vulnerabilities appear to have been exploited in the wild. The relevant update was released to customers in three phases, on March 18, March 25 and April 1.

"The software version your Sophos Web Appliance is currently running is displayed in the top right of the dashboard page," Sophos notes. "To ensure your appliance is updated to the latest software version, navigate to the Configuration > System > Updates page. On this page, the Software engine section lists the current software version and available software updates, where you can manually initiate a pending software update any time prior to the scheduled automatic software update."