Cybersecurity and Infrastructure Security Agency (CISA) has identified a critical vulnerability, marked as CVE-2023-1671, within Sophos Web Appliance. This flaw, a pre-auth command injection vulnerability in the warn-proceed handler, poses a significant risk by allowing attackers to execute arbitrary code.
Discovery and Patching
Disclosed in early April by an external security researcher through Sophos’ bug bounty program, the vulnerability affected all versions of the appliance preceding version 22.214.171.124. Sophos swiftly responded with a patch released in April 2023, pushing the update to users with the default “automatic update” setting enabled.
As a precautionary measure, Sophos urged customers to keep the device behind a firewall, limiting its accessibility via the public internet. Additionally, the company emphasized that Sophos Web Appliance would reach its end of life on July 20, 2023, ceasing to receive security or software updates. Encouraging organizations to transition to Sophos Firewall, the company navigated users toward a more secure future.
Exploitation and Response
Despite the availability of a public Proof of Concept (PoC) exploit for CVE-2023-1671 since late April, attackers hesitated, likely due to the widespread adoption of the default automatic updating setting, which diminished the potential pool of vulnerable targets.
However, recent developments indicate active exploitation, as confirmed by the Cybersecurity and Infrastructure Agency. Regrettably, specific details regarding the nature of these exploits remain undisclosed.
Broader Vulnerability Landscape
In the broader context, CISA identified two additional vulnerabilities, including CVE-2020-2551, an unspecified bug in Oracle WebLogic Server, within its Known Exploited Vulnerabilities (KEV) catalog. Despite being reported and patched in 2020, the inclusion of such vulnerabilities underscores the persistent challenges organizations face in maintaining comprehensive security postures.