Today we are beginning the rollout of update version 4.3.2 for Sophos Web Appliance. This update will be made available to all customers over the next couple of weeks.
This update is a rollup of a number of bug fixes and also addresses two vulnerabilities that were reported to us by security researchers Brian Martin of Tenable Security Response, and Wilhelm-Jan Stiny.
The first vulnerability was found in the FTP redirect page which is returned when users try to access FTP urls in explicit proxy mode through the Web Appliance from their browser. Under certain conditions, the page could be used to launch a cross-site scripting attack.
The second was a concern expressed about how the SWA downloads software and data updates. In the past our updates took place over HTTP connections, although the file contents had internal validation in case an attacker was able to substitute update content on the wire, or by hijacking connections and redirecting them to the wrong servers. In this release we have implemented use of HTTPS with certificate pinning for downloading product updates. Once the rollout of this release is completed, we will start transitioning our update infrastructure to use HTTPS.
Because we are using certificate pinning - a strict check that the connection is validated by specific, known CAs rather than by any trusted CA - this will mean that the SWA may no longer update successfully if it is behind an upstream proxy that is also doing HTTPS decryption/inspection.
For full details on the issues addressed by this update, check out the release notes.