{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2018-010.pdf" }, "title": "Critical Vulnerability in Sophos Mobile and Sophos Mobile Control", "serial_number": "2018-010", "publish_date": "10-04-2018 05:46:00", "description": "On 26th of March 2018, Sophos released a security advisory concerning Sophos Mobile and Sophos Mobile Control. This critical vulnerability could allow an unauthenticated user to access the administration console or the self-service portal of Sophos Mobile.", "url_title": "2018-010", "content_markdown": "---\ntitle: 'Critical Vulnerability in Sophos Mobile and Sophos Mobile Control'\nversion: '1.0'\nnumber: '2018-010'\ndate: 'April 9, 2018'\n---\n\n_History:_\n\n* _09/04/2018 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn 26th of March 2018, Sophos released a security advisory concerning **Sophos Mobile** and **Sophos Mobile Control** [1, 2]. This critical vulnerability could allow an unauthenticated user to access the administration console or the self-service portal of Sophos Mobile.\n\n# Technical Details\n\nThere is not much details from Sophos available outside of the fact that a successful exploitation of the vulnerability could allow an attacker to bypass authentication to the administration panel of the portal, and that no attacks have been observed at the time of this writing.\n\n# Products Affected\n\nAll version of **Sophos Mobile** and **Sophos Mobile Control** prior to `8.0.7` are affected by the vulnerability.\n\n# Recommendations\n\nFor all version higher than `6.0`, the patch is available on the **Sophos License Portal**.\n\nFor version `5.1` and earlier, Sophos provides instructions how to upgrade to an up-to-date version [3].\n\n## Workarounds\n\nThere are no known workarounds that address this vulnerability.\n\n# References\n\n[1] \n\n[2] \n\n[3] \n", "content_html": "

History:

  • 09/04/2018 --- v1.0 -- Initial publication

Summary

On 26th of March 2018, Sophos released a security advisory concerning Sophos Mobile and Sophos Mobile Control [1, 2]. This critical vulnerability could allow an unauthenticated user to access the administration console or the self-service portal of Sophos Mobile.

Technical Details

There is not much details from Sophos available outside of the fact that a successful exploitation of the vulnerability could allow an attacker to bypass authentication to the administration panel of the portal, and that no attacks have been observed at the time of this writing.

Products Affected

All version of Sophos Mobile and Sophos Mobile Control prior to 8.0.7 are affected by the vulnerability.

Recommendations

For all version higher than 6.0, the patch is available on the Sophos License Portal.

For version 5.1 and earlier, Sophos provides instructions how to upgrade to an up-to-date version [3].

Workarounds

There are no known workarounds that address this vulnerability.

References

[1] http://app.go.sophos.com/e/es?s=1777052651&e=250342&elq=03365c36a00a448499140d48c8896a16

[2] https://community.sophos.com/kb/en-us/131867

[3] https://community.sophos.com/kb/en-us/128031

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }