Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0083 Sophos Cyberoam Cross-site scripting (XSS) vulnerability 8 June 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Sophos Cyberoam Operating System: Network Appliance Impact/Access: Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2016-9834 Member content until: Saturday, July 8 2017 OVERVIEW an XSS vulnerability has been found in Sophos Cyberoam prior to versions 10.6.4. [1] IMPACT The researcher has published the following information about the vulnerability: " Severity Rating (CVSS): =================== 6.9 (Medium) (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N) Cross-site scripting (XSS) vulnerability in Sophos Cyberoam firewall enables and attackers to execute scripts in a victim's browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user's browser using malware, etc." "This vulnerability allows remote attackers to execute arbitrary client side script in the active user\x{146}s browser session, when logged into the Cyberoam firewall. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file." [1] MITIGATION The vendor has advised the following: "Sophos is committed to working with the security community in identifying, remediating and communicating security issues in our products. Customers are advised to upgrade their Cyberoam OS to v.10.6.5, which addresses this issue." REFERENCES [1] Sophos Cyberoam Cross-site scripting (XSS) vulnerability http://seclists.org/bugtraq/2017/Jun/4 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWTjY2ox+lLeg9Ub1AQgjAA//bI480k9CrXx8m7ZANM8GhmV2+ycqMnMZ Hx+8oLPr0T4TSRFyYoa6m/8qZcR7/1ieT55gyqSavqR9+Csy9ijZm+o4izrChgM0 SZ9YiJfj41lJ0xbVqspb4TIUfjLJCKhu743tf4avZ6Nbcm4Intzr56TguNR4SAB+ LNc5pQ2giokqnh5Znm96F008iSk18otNPbZBCqzFIUHFlEYQa4DksSw5GiFm5fI0 m+N0Gemdp0n2dJ6bbO9CdsGdGbBzGQ50W+8qGJAm7uhzSTTm9oiH+6RBNROY6fTJ OrwMTh11uNREf23TsJNIUt/HpI9RgXnveIqr4FTxhb0kWHOD9KKrxFWzK30k5vRN Feqvcfhce/5qWLy3P4MZ4Od2+q2g1Q1qXqgr3MlYCSAGc2WuS8+AihIgFA2Ghp2W HyKuPW5KpMbXf+Fpjq2Hp2pNGj3oTtf9C+LV0ChD7KBcvXZruFhckZohCVDkZN2W LU11SnPv7nZxspem+rdSO7b7VlhqQXU9K0Gv4Vtt5dJLZF7FJjIgRJG68an8zp1Y AbgUnUAeaphhduUI5TX2Vpb9VFaxzaJtdiZGg2RXBai10RHcI6ZObAej/WBnpQ2a Xb1YWiJY7+PbuIy8w7PNLbzal+joyGRDAvxiPPUKkho2ClrpkFoJAjAGGierbbMm mZKVdIGAnAE= =Z8x7 -----END PGP SIGNATURE-----