Update for Sophos Web Protection Appliance
Security firm Sophos has asked that its customers install version 220.127.116.11 of the Web Protection Appliance immediately. At the end of February, staff at security firm SEC Consult discovered vulnerabilities in the product's web-based user interface. Sophos has closed the security holes in the latest version.
The vulnerabilities allow attackers to harvest sensitive data such as passwords and session cookies and provide access to private certificate keys. These keys can be used to sign arbitrary certificates that could serve for man-in-the-middle attacks or phishing attacks within a company network because all clients in a network will accept the certificates.
Sophos says that SEC Consult Vulnerability Lab privately reported the security holes on 21 February. No public exploits for the vulnerabilities (CVE numbers CVE-2013-2641, CVE-2013-2642 and CVE-2013-2643) are believed to have appeared.