Security vendor Sophos is urging customers to immediately install an update that resolves three security flaws found in its Web Protection Appliance.
The flaws were reported to Sophos on February 21 by Austrian-based SEC Consult Vulnerability Lab.
Sophos said it began releasing a version that fixed the vulnerabilities to a group of customers from March 18, followed by a larger group on March 25 and remaining customers on April 1.
In an advisory yesterday, Sophos asked administrators to check the Web Protection Appliance software is running version 220.127.116.11, which resolves the flaws in 18.104.22.168 and earlier.
The security vendor notes that it has not seen exploits for the flaws in the wild.
One flaw could allow an attacker to gain access to clear text passwords and valid PHP session IDs. A second flaw could let an authenticated user execute arbitrary commands as a privileged user, which SEC Consult notes could allow them to plant a back door or intercept traffic passing through the appliance. The third flaw could allow an attacker to conduct phishing attacks.
Wolfgang Ettlinger, Stefan Viehböck, the two bug hunters that discovered and reported the flaws to Sophos, urged customers to “switch off” the product until the vendor had audited and resolved claimed security deficiencies in its source code.
Sophos notes in its advisory that it improves its products by conducting “rigorous and regular testing” in addition to findings from independent security advisers.