.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Medium
Resolved App Password Bypass on Sophos Secure Workspace for Android (CVE-2021-36808)
CVE(S)
CVE-2021-36808
PRODUCT(S)
Sophos Secure Workspace (Android)
Updated
2021 Oct 29
Article Version
1
First Published
2021 Oct 29
Publication ID
sophos-sa-20211029-ssw-pw-bypass
Workaround
No
Overview
A race condition in Sophos Secure Workspace for Android was recently discovered and responsibly disclosed to Sophos. It was reported via the Sophos bug bounty program by an external security researcher. The vulnerability has been fixed. There is no action required for customers, as updates are installed automatically by default.
Sophos would like to thank Christian Niel Angel for responsibly disclosing the issues to Sophos.
The remediation prevented a local attacker to bypass the app password. There was no evidence that the vulnerability was exploited and to our knowledge no customers are impacted.
Applies to the following Sophos product(s) and version(s)
Sophos Secure Workspace for Android prior version 9.7.3115
Remediation
Fix included in Sophos Secure Workspace 9.7.3115 on September 27, 2021
Additionally, Sophos recommends that Sophos Secure Workspace customers upgrade to the latest available release
Related Information
Sophos Responsible Disclosure Policy
To learn about Sophos security vulnerability disclosure policies and publications, see the Responsible Disclosure Policy.