Sophos tells customers to apply security update for Web Protection Appliance

Security vendor Sophos is urging customers to immediately install an update that resolves three security flaws found in its Web Protection Appliance.

The flaws were reported to Sophos on February 21 by Austrian-based SEC Consult Vulnerability Lab.

Sophos said it began releasing a version that fixed the vulnerabilities to a group of customers from March 18, followed by a larger group on March 25 and remaining customers on April 1.

In an advisory yesterday, Sophos asked administrators to check the Web Protection Appliance software is running version 3.7.8.2, which resolves the flaws in 3.7.8.1 and earlier.

The security vendor notes that it has not seen exploits for the flaws in the wild.

One flaw could allow an attacker to gain access to clear text passwords and valid PHP session IDs. A second flaw could let an authenticated user execute arbitrary commands as a privileged user, which SEC Consult notes could allow them to plant a back door or intercept traffic passing through the appliance. The third flaw could allow an attacker to conduct phishing attacks.

Wolfgang Ettlinger, Stefan Viehböck, the two bug hunters that discovered and reported the flaws to Sophos, urged customers to “switch off” the product until the vendor had audited and resolved claimed security deficiencies in its source code.

Sophos notes in its advisory that it improves its products by conducting “rigorous and regular testing” in addition to findings from independent security advisers.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags sophosWeb Protection Appliance

More about CSOSECSophos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts