Vulnerabilities reported in Sophos Email Appliance

  • Article ID: 119051
  • Updated: 13 Mar 2013

Vulnerabilities reported in Sophos Email Appliance

As a security company, keeping our customers safe is our primary responsibility. Improving protection is of course key, as is ensuring the security of our products. We achieve this through rigorous and regular testing as well as welcoming findings from independent security advisers. 

Sophos was approached in September 2012 by security researcher Ben Williams of the NCC Group regarding vulnerabilities that he had discovered in the Sophos Email Appliance. More details about the vulnerabilities are provided below.

The issues reported were resolved with a release in January 2013, version 3.7.7.0. Sophos’s ‘Managed Appliance’ model means that this update would have been pushed out and applied to all customers within a short period of time.

At the time of writing, NCC Group have not published details of these vulnerabilities. However, Ben Williams is planning to discuss them in the context of a paper he has written for the Black Hat Europe 2013 conference.

Sophos greatly appreciates the work of security researchers like Ben Williams and acknowledges the contribution they make to the security of our products, our customers and the technology community as a whole.

Am I protected?

Your appliance should have updated within a few days after the fixed version was made available. Further releases have been published since then, and all versions numbered after v3.7.7.0 contain the fixes.

Details of vulnerabilities

Cross-site scripting with Session Hijacking
Description: Due to issues with input-validation and output-encoding in the UI, cross-site scripting attacks were possible on many pages of the UI. This could have enabled an attacker to run arbitrary javascript in the in an administrator’s browser, leading to session hijacking, reconfiguration of the software or certain other forms of attack.
Affected product(s): Sophos Email Appliance version 3.7.6.0 and earlier
First reported to us: 20 October 2012
Exploit seen in the wild? No


Authentication bypass via session fixation
Description: Session tokens are used to identify users after login. Session tokens were not changed or refreshed often enough, and were not well secured. This made it possible for an attacker to easily hijack administrative sessions via session fixation.
Affected product(s): Sophos Email Appliance version 3.7.6.0 and earlier
Fixed in: Sophos Email Appliance version 3.7.7.0
First reported to us: 20 October 2012
Fixed version released: 17 January 2013
Roll-out fix completed on: 30 January 2013
Exploit seen in the wild? No


Unauthenticated detailed version disclosure
Description: The product disclosed detailed version information to unauthenticated users: for example within the HTML of the login screen. It was easy to find these appliances (via Internet search engines such as Shodan or Google dorks) and enumerate the exact version in use.
Affected product(s): Sophos Email Appliance version 3.7.6.0 and earlier
First reported to us: 20 October 2012
Exploit seen in the wild? No
 Risk: This item is considered a small risk. All Sophos appliances are kept automatically up to date and so will always be running the same version. The advantage to be gained by discovering the version number is minimal.



Command-injection via CSRF with privilege escalation to root
Description: The Sophos Email Appliance was prone to Command-injection via Cross-Site Request Forgery (CSRF). This could allow running of arbitrary commands on the underlying system and recovery of potentially sensitive information. This includes information that could be used to obtain root access to the appliance via SSH.
Affected product(s): Sophos Email Appliance version 3.7.6.0 and earlier
Fixed in: Sophos Email Appliance version 3.7.7.0
First reported to us: 20 October 2012
Fixed version released: 17 January 2013
Roll-out fix completed on: 30 January 2013
Exploit seen in the wild? No

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments