Daniel Compton of Info-Assure Ltd found the vulnerabilities on the product, which is a security gateway designed to protect companies against malware and other risks by inspecting web traffic content. The firm has subsequently urged all users to upgrade to version 4.0.4 to mitigate the flaw, which it hasn't detailed in full because of responsible disclosure.
“Once the vulnerability has been patched we will not disclose the exact details or exploitation methods for the vulnerability for three months. This gives all users of the product sufficient time to ensure they have updated their products and are protected against the issue.”
Info-Assure discovered the bug on 25t June 2015 and reported it to the security vendor on 30 June. The vendor fixed the flaw by issuing a patch (4.0.4) on 15 July, with Info-Assure partially disclosing the issue a day later.
“The security issues found in the Sophos appliance are very common web vulnerabilities, and are included in the OWASP Top 10 vulnerabilities,” Rob Shapland, senior penetration tester and technical operations manager at First Base Technologies, said in an email to SCMagazineUK.com.
“They should be taken in the context that the user must be authenticated, which restricts who would be able to exploit the vulnerabilities, as they would need a valid user account on the Sophos appliance. The vulnerabilities show that despite OWASP and other organisations publicising secure coding techniques to avoid these common vulnerabilities, even security companies such as Sophos can get it wrong.
“The potential impact is quite small however, as Info-Assure has disclosed the vulnerabilities to Sophos without revealing the details publicly.”