Sophos has released a patch for the issue described below which has been found in the SafeGuard Enterprise Device Encryption Client (all versions incl. 5.50.8 and SafeGuard Easy/Sophos Disk Encryption 5.50.x ). It is recommended that you apply this patch as soon as possible.
A potential vulnerability has been found in Safeguard Enterprise 5.x and SafeGuard Easy 5.5x and Sophos Disk Encryption v 5.5x that could allow an informed attacker, under specific circumstances, to reuse outdated or invalidated credentials for locally accessing an endpoint computer. Known to apply to the following Sophos product(s) and version(s)
SafeGuard Enterprise Device Encryption 5.x
SafeGuard Easy Device Encryption Client 5.50.x
Sophos Disk Encryption 5.50.x
All supported operating systems
What To Do
Install the available patch for the corresponding version in use. This will remove this potential vulnerability on the endpoint. It can be downloaded from sophos.com. Installation will take less than a minute.
For detailed information on how to apply an msp file, refer to the knowledgebase article, SafeGuard: How to apply a Windows installer patch to a SafeGuard product
Please note: The patches in this article will be integrated in future versions of these products; SafeGuard Enterprise, SafeGuard Easy and Sophos Disk Encryption.
It has been discovered that in some cases outdated or invalidated credentials were not immediately removed from the system. This could be exploited by a skilled attacker. However, due to dependencies on multiple factors it cannot be predicted whether a given system is vulnerable at a given moment. We therefore recommend you apply the patch as soon as possible to provide full protection against the vulnerability.
Download the patch
The patch is available for the following versions: