Sophos Web Appliance 4.2.1.3 Remote Command Injection

2017.01.31
Risk: High
Local: No
Remote: Yes
CWE: CWE-78


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Critical Start security expert Russell Sanford discovered and reported two critical zero-day vulnerabilities in the Sophos Web Appliance in December of 2016. The vulnerabilities, documented under CVE-2016-9553, allow the remote compromise of the appliance's underlining Linux subsystem. The vulnerabilities have now been patched in the January 2017 4.3.1 release of the appliance line. Here is a summary of the two vulnerabilities documented under CVE-2016-9553. CVE ID CVE-2016-9553<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9553> Vulnerability Details The Sophos Web Appliance (version 4.2.1.3) is vulnerable to two Remote Command Injection vulnerabilities affecting its web administrative interface. These vulnerabilities occur in the MgrReport.php (/controllers/MgrReport.php) component responsible for blocking and unblocking IP addresses that are able to access appliance. The device doesn't properly escape the information passed in the variables 'unblockip' and 'blockip' before calling the shell_exec() function which allows for system commands to be injected into the device. The page that contains the vulnerabilities, /controllers/MgrReport.php, is accessed by a number of the machine's built in commands in administrative interface. The pages that call to the vulnerable page (passed in the '&c=' parameter) are: 'report', 'trend_volume', 'trend_suspect','top_app_ctrl', 'perf_latency', 'perf_throughput', 'users_browse_summary', 'traf_sites', 'traf_blocked', 'traf_users', 'users_virus_downloaders', 'users_pua_downloaders', 'users_highrisk', 'users_policy_violators', 'users_top_users_by_browse_time', 'users_quota', 'users_browse_time_by_user', 'users_top_users_by_category', 'users_site_visits_by_user', 'users_category_visits_by_user', 'users_monitored_search_queries', 'users_app_ctrl', 'traf_category', 'traf_download', and 'warned_sites'. Exploitation of this vulnerability yields shell access to the remote machine under the system account 'spiderman'. Vendor Response Sophos has issued an update to correct this vulnerability. More details can be found at: http://swa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.html Credit This vulnerability was discovered by Russell Sanford of Critical Start. CVSS Score CVSS Base Score: 8.5 CVSS v2 Vector: (AV:N/AC:M/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C/CDP:ND/TD:ND/CR:H/IR:H/AR:ND) Affected Vendors Sophos Affected Products Web Appliance before version 4.3.1.3 Disclosure Timeline 2016-11-12 - Vulnerability discovered in audit 2016-11-13 - POC exploit created 2016-11-19 - Contacted MITRE for CVE 2016-11-22 - CVE-2016-9553 assigned 2016-11-29 - Sophos Contacted through Bugcrowd to coordinate fix 2017-01-20 - Sophos patched bug in Version 4.3.1 (Work Order# NSWA-1258) 2017-01-20 - Coordinated public release of advisory 2017-01-28 - CVE-2016-9553 publicly released. About Critical Start Critical Start is an employee owned cybersecurity company with the goal to improve the security capability of our clients using a strategy based methodology known as the Defendable Network. We provide security consulting services, PCI QSA services, product fulfillment, and Managed Security Services. To schedule an appointment to discuss a cybersecurity assessment or penetration test with our team members, please call 214-810-6760 or email info@criticalstart.com<mailto:info@criticalstart.com>.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top