Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0050 A number of vulnerabilities have been identified in Sophos Web Appliance 5 April 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Sophos Web Appliance Operating System: Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2013-2643 CVE-2013-2642 CVE-2013-2641 Member content until: Sunday, May 5 2013 OVERVIEW A number of vulnerabilities have been identified in Sophos Web Appliance prior to version 3.7.8.2. [1] IMPACT The vendor has provided the following details regarding these vulnerabilities: CVE-2013-2641: "Unauthenticated users could download arbitrary files from the Sophos Web Appliance with the rights of a privileged operating system user. This user has access to clear text passwords and valid PHP session IDs." [1] CVE-2013-2642: "OS Command Injections were discovered that allow an administrative user to execute commands as a privileged user. Under certain preconditions unauthenticated users can do that as well." [1] CVE-2013-2643: "Reflected Cross Site Scripting vulnerabilities were found. An attacker could have used these vulnerabilities to conduct phishing attacks." [1] MITIGATION The vendor has stated that these vulnerabilities have been resolved with the 3.7.8.2 release of the Sophos Web Appliance software. [1] REFERENCES [1] Vulnerabilities reported in Sophos Web Appliance http://www.sophos.com/en-us/support/knowledgebase/118969.aspx AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUV453e4yVqjM2NGpAQLjgxAAjlAtSpKhGGuBNW01YjmdgCcUTzIV4Dei tMhlVXDGiQLNSVwya1P8bi8BvoV7vNratL2/bmodeDjQ4UJDDMwv0xB6YIyv1dD9 qiDzbiClTY6CQEUVUDZS13QEcKSjgR+IdMc5qptUyYHmoqyLvrK67m1UYIxN9jOB VlEVB+X62m3zIwsNH8iN+ifvVrguKD1T4KoyewAdA+b2GVSKTzcvChlZ6bCfLsCu apFe/MDVEi+Bj2oJlc2ECac8RF1bQII10UUQ8PooFjPZurCQNIrIaSaxdl7QhWYw iLtk1Ek+RTvpKkTirI1R+8TAVwo8WfVPEcqV3JxnBM91vt2sjydeY6ExAqf0Y0B7 esVD8cszQ4kczSRgBPl3zpvXOG1pZn1yfWhvhnaSnDV2v9lTbI8oRB+/2Bs7IBV+ 3h4sV+Cv8ZmlvtoOYmF9ztJk8QPUTOiLJTimWahbGhTHWrA/6NVR3/8nwc3W03W4 QxjSntfjEMuuV6EvPOwImU3C9r/9+coWJ29DzbrLP5kAfbV+sjMilQE292MdQlQK GeLCbWNktdXXULRDM6gwtVPvO9Kqz3q5siWHl8gFEn+bGw9YuFx3Zns/5dJlDhJ2 E9cHCjp6fVwAQSIDSi9azGPLrZZDf3tvjlRCwguqaerpXaA+pw1R8F3gFkJPZA+2 OdpFrEWpkLQ= =vB1B -----END PGP SIGNATURE-----