Sophos has released security updates to resolve several vulnerabilities in its Web Appliance, including a critical unauthenticated code execution bug. The appliance is a web security solution that enables administrators to set and enforce web access policies from a single interface.
The critical vulnerability, identified as CVE-2023-1671 and having a CVSS score of 9.8, is found in the warning page handler of the appliance and can be exploited without authentication. The cybersecurity company describes the bug as “a pre-auth command injection vulnerability in the warn-proceed handler allowing execution of arbitrary code”. Sophos addressed the flaw with the release of Sophos Web Appliance 22.214.171.124.
Patches for all the vulnerabilities are delivered to Sophos Web Appliance users via automatic updates. The company recommends placing the appliance behind a firewall and blocking internet access to it. The Sophos Web Appliance is set to reach end-of-life (EoL) status on July 20, 2023, and Sophos advises customers to migrate to Sophos Firewall.