Resolved SPX password disclosure in Sophos Firewall (CVE-2023-5552)

Overview

Sophos has fixed a password disclosure vulnerability in the Secure PDF eXchange (SPX) feature of Sophos Firewall when the password type is set to “specified by sender”.

No action is required for Sophos Firewall customers with the "Allow automatic installation of hotfixes" feature enabled on remediated versions (see Remediation section below). Enabled is the default setting.

Sophos would like to thank IT für Caritas eG for disclosing the issue to Sophos.

Applies to the following Sophos product(s) and version(s)

Sophos Firewall v19.5 MR3 (19.5.3) and older

Workaround

Customers can protect themselves by using an SPX template where the “Password type” is set to “Generated and stored for recipient”.

Remediation

• Ensure you are running a supported version

• Hotfixes for the following versions published on October 12, 2023:

  • v19.5 MR3, and MR2

• Hotfixes for the following versions published on October 13, 2023:

  • v20.0 EAP1

  • v19.5 MR1-1, MR1, and GA

  • v19.0 MR3, MR2, MR1-1, and MR1

• Fix included in v19.5 MR4 (19.5.4), and v20.0 GA

• Users of older versions of Sophos Firewall are required to upgrade to receive the latest protections, and this fix

Related information

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5552

• https://support.sophos.com/support/s/article/KB-000035279?language=en_US#xgfirewallsoftware