Sophos Web Appliance Command Injection Vulnerability Allowing Remote Code Execution

A pre-authentication command injection vulnerability has been identified in the warn-proceed handler of Sophos Web Appliance versions prior to 4.3.10.4. This vulnerability allows the execution of arbitrary code on the affected system.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected Sophos Web Appliance.

Reproduction

The vulnerability can be reproduced by sending a crafted request to the 'warn-proceed' handler. This request must include a payload that exploits the command injection flaw, such as a command to ping an external server. The response can be checked for indications that the injected command was executed, such as receiving a response from the external server.

Remediation

Users are advised to update to Sophos Web Appliance version 4.3.10.4 or later, where this vulnerability has been fixed. For those using an older version, Sophos recommends that the appliance is protected by a firewall and not accessible via the public Internet.