CVE-2023-1671: Critical Pre-Auth Command Injection Vulnerability in Sophos Web Appliance

In today’s digital landscape, businesses, and organizations are constantly at risk from an ever-evolving array of cyber threats. As such, robust web security is crucial for maintaining the safety and integrity of your data and networks. The Sophos Web Appliance (SWA) offers a comprehensive web security solution with an easy-to-use administrative interface, customizable URL-handling policies, and automated software updates. However, even the most sophisticated security tools are not immune to vulnerabilities. Three security vulnerabilities were recently discovered in the SWA.

Image: Sophos

1. CVE-2023-1671: Critical Pre-Auth Command Injection Vulnerability

In an ongoing effort to ensure the highest level of security for its users, Sophos actively encourages external researchers to participate in its bug bounty program. One such researcher recently discovered a critical pre-authentication command injection vulnerability (CVE-2023-1671) in the SWA’s warn-proceed handler. This vulnerability could allow an attacker to execute arbitrary code without requiring authentication.

2. CVE-2022-4934: High Post-Auth Command Injection Vulnerability

Another recent vulnerability, CVE-2022-4934, affects the SWA’s exception wizard. This high-severity post-authentication command injection vulnerability allows administrators to execute arbitrary code. The researcher who discovered this vulnerability also disclosed it responsibly through the Sophos bug bounty program.

3. CVE-2020-36692: Medium Reflected XSS via POST Vulnerability

The third vulnerability, CVE-2020-36692, is a medium-severity reflected cross-site scripting (XSS) flaw that targets the SWA’s report scheduler. To exploit this vulnerability, an attacker must trick a logged-in victim into submitting a malicious form on an attacker-controlled website. Successful exploitation results in the execution of JavaScript code in the victim’s browser.

While this vulnerability requires more specific conditions for successful exploitation, it highlights the importance of user vigilance in mitigating potential security risks.

Securing Your Sophos Web Appliance: Automatic Updates and Firewall Protection

Sophos recognizes the importance of addressing these vulnerabilities in a timely manner. In response, the company has released SWA 4.3.10.4 to address these issues. The good news for SWA customers is that there is no action required on their part, as updates are installed automatically by default.

According to the Sophos security advisory, none of the flaws addressed in this advisory were publicly disclosed or found to be exploited in the wild

However, Sophos does recommend that the Web Appliance be protected by a firewall and not accessible via the public Internet. This additional layer of security further reduces the risk of unauthorized access and exploitation of any potential vulnerabilities.