InfoSecBulletin Cybersecurity for mankind
Sophos has released a new security advisory that has fixed 3 of its significant vulnerabilities, allowing threat actors to execute arbitrary code injection on Sophos Web Appliance (SWA).
CVE(s):
- CVE-2023-1671 – Pre-Auth Command Injection
- CVE-2022-4934 – Post-Auth Command Injection
- CVE-2020-36692 – Reflected XSS via POST method
CVE-2023-1671 – Pre-Auth Command Injection in Sophos Web Appliance
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
This vulnerability exists on the warn-proceed handler, allowing threat actors to execute arbitrary code. An external security researcher reported it through the Sophos Bug Bounty Program.
Vulnerable Products:
Sophos Web Appliance 4.3.10.4 and older versions
CVE-2022-4934 – Post-Auth Command Injection in Sophos Web Appliance
CVSS Score: 7.2 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
This vulnerability exists on the exception wizard handler, allowing administrators to execute arbitrary code. An external security researcher reported it through the Sophos Bug Bounty Program.
Vulnerable Products:
Sophos Web Appliance 4.3.10.4 and older versions
CVE-2020-36692 – Reflected XSS via POST method in Sophos Web Appliance
CVSS Score: 5.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
This vulnerability exists on the report scheduler, allowing threat actors to execute Javascript code on the victim’s browser. To exploit this vulnerability, a threat actor must trick a victim into submitting a malicious form on any compromised website.
In contrast, the victim is logged on to Sophos Web Appliance. An external security researcher reported it through the Sophos Bug Bounty Program.
Vulnerable Products:
Sophos Web Appliance 4.3.10.4 and older versions
Recommendations:
- Sophos has released patches to fix these vulnerabilities, which no longer need customer interaction since they are automatically updated.
- Sophos has also requested to keep Sophos Web Appliance protected from exposing to the internet
Release Notes:
| Work Order | Description |
| NSWA-1689 | Resolved an XSS vulnerability in the report scheduler (CVE-2020-36692). |
| NSWA-1756 | Resolved a vulnerability in the exception wizard (CVE-2022-4934). |
| NSWA-1763 | Resolved a vulnerability in the warning page handler (CVE-2023-1671). |
