Overview
Sophos has fixed a password disclosure vulnerability in the Secure PDF eXchange (SPX) feature of Sophos Firewall when the password type is set to “specified by sender”.
No action is required for Sophos Firewall customers with the "Allow automatic installation of hotfixes" feature enabled on remediated versions (see Remediation section below). Enabled is the default setting.
Sophos would like to thank IT für Caritas eG for disclosing the issue to Sophos.
Applies to the following Sophos product(s) and version(s)
Sophos Firewall v19.5 MR3 (19.5.3) and older
Workaround
Customers can protect themselves by using an SPX template where the “Password type” is set to “Generated and stored for recipient”.
Remediation
Ensure you are running a supported version
Hotfixes for the following versions published on October 12, 2023:
v19.5 MR3, and MR2
Hotfixes for the following versions published on October 13, 2023:
v20.0 EAP1
v19.5 MR1-1, MR1, and GA
v19.0 MR3, MR2, MR1-1, and MR1
Fix included in v19.5 MR4 (19.5.4), and v20.0 GA
Users of older versions of Sophos Firewall are required to upgrade to receive the latest protections, and this fix