Sophos Web Appliance flaw activelly exploited by hacker teams in the wild
Take action: If you are still using Sophos Web Appliance, enable auto-updates and bring it up to latest version. And since it's already past it's end-of-service deadline, plan to change the appliance soon.
The Cybersecurity and Infrastructure Security Agency is reporting active attack on the vulnerability CVE-2023-1671 of Sophos Web Appliance. It's a pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance that allows attackers to execute arbitrary code.
CISA has noted active exploitation in the field but has not released detailed information on these incidents.
Sophos Web Appliance serves as a web filtering tool that inspects and blocks malicious content to prevent malware infections. The vulnerability was reported through Sophos's bug bounty program by an external researcher in early April and impacts all appliance versions before 126.96.36.199.
Sophos addressed the issue in April 2023 with an automatic update to the affected products, assuming customers had not disabled the default auto-update feature. Additionally, they recommended that the appliance should operate behind a firewall to avoid direct exposure to the public internet.
The company has also highlighted that the Sophos Web Appliance is approaching its end of service on July 20, 2023, after which it will no longer receive updates. They have been encouraging users to transition to the Sophos Firewall for future protection.
Despite the availability of a proof-of-concept exploit since late April and a script for identifying vulnerable devices, it seems attackers recently began exploiting CVE-2023-1671. Although auto-updates should have fixed the issue, it seems that there were enough systems with disabled updates to provide a good attack surface.
It's also indicative that companies are still using Sophos Web Appliance even after it's end of service. Any other issues found in such appliances will just make the risk of using them worse.