A critical remote code execution vulnerability in Sophos Cyberoam Firewall appliances running supported CyberoamOS (CROS) version 10.6.6 MR-5 and earlier was recently discovered and responsibly disclosed to Sophos by an external security researcher. The vulnerability can be potentially exploited by sending a malicious request during an email quarantine release, which would enable an unauthenticated remote attacker to execute arbitrary commands.
Sophos would like to thank Nadav Voloch, from the Research Team at https://www.vpnmentor.com/, for the responsible disclosure of this vulnerability.
The following sections are covered:
Applies to the following Sophos products and versions A hotfix has been released for the following CROS versions:
Previously, End Users would be able to release quarantined emails directly from the spam digest email. This is no longer possible. If users attempt to do this, they will receive a message asking them to sign into the User Portal.
KBA 135224 has been created to explain the new process of releasing quarantined emails for end users.
Additionally, KBA 135222 documents the message and change in behavior when a user clicks on the Release link in the spam digest email.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.