Sophos Web Appliance: Security Gaps Fixed
Cybersecurity company Sophos has issued an update to its Sophos Web Appliance (SWA) software to close three security gaps that could allow attackers to inject and execute malicious code. One of the vulnerabilities is considered a critical risk, enabling attackers to inject any command without prior registration. IT managers must ensure that the bug-fixed version is installed and running on the appliance, as the risks posed by the vulnerabilities range from high to critical.
Sophos Web Appliance: Automatic Updates
The SWA software version 4.3.10.4 closes the security gaps. SWAs download and install updates automatically by default, but administrators should check whether they are up to date and whether a restart is necessary. Sophos has also advised that the SWA will reach end-of-life on July 20, 2023, and will no longer receive support. To reduce risk, the company recommends setting up a firewall to seal off the appliance from the internet.
Sophos Knowledgebase: Migrate to Sophos Firewall
Sophos further advised that users of its web appliance should migrate to the Sophos Firewall and provided an article in the Sophos Knowledgebase explaining the migration process. The vulnerabilities were reported to Sophos as part of the bug bounty program, meaning that currently, they are not being exploited in the wild. The previous vulnerabilities were reported in mid-2017, which led to Sophos delivering updates via encrypted HTTPS.
Conclusion
Sophos has released an update to its popular Sophos Web Appliance software, fixing known security gaps to protect against a range of exploitation risks. Cybersecurity professionals should ensure that they have installed the latest version and taken other additional protective measures, such as setting up a firewall or migrating to the Sophos Firewall, to reduce the risk of exploitation. However, given that these vulnerabilities were discovered through a bug bounty program, it is essential to be vigilant as vulnerabilities may yet be found by hackers in the wild.
