[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Sophos Web Appliance - Block & Unblock IPs Remote Command Injection (CVE-2016-9553)
From: Russell Sanford <russell.sanford () criticalstart ! com>
Date: 2017-01-29 13:47:09
Message-ID: CY1PR07MB2152E56384DBC1D1A1FC7047F1480 () CY1PR07MB2152 ! namprd07 ! prod ! outlook ! com
[Download RAW message or body]
Critical Start security expert Russell Sanford discovered and reported two critical zero-day \
vulnerabilities in the Sophos Web Appliance in December of 2016. The vulnerabilities, \
documented under CVE-2016-9553, allow the remote compromise of the appliance's underlining \
Linux subsystem. The vulnerabilities have now been patched in the January 2017 4.3.1 release of \
the appliance line.
Here is a summary of the two vulnerabilities documented under CVE-2016-9553.
CVE ID
CVE-2016-9553<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9553>
Vulnerability Details
The Sophos Web Appliance (version 4.2.1.3) is vulnerable to two Remote Command Injection \
vulnerabilities affecting its web administrative interface. These vulnerabilities occur in the \
MgrReport.php (/controllers/MgrReport.php) component responsible for blocking and unblocking IP \
addresses that are able to access appliance. The device doesn't properly escape the information \
passed in the variables 'unblockip' and 'blockip' before calling the shell_exec() function \
which allows for system commands to be injected into the device. The page that contains the \
vulnerabilities, /controllers/MgrReport.php, is accessed by a number of the machine's built in \
commands in administrative interface. The pages that call to the vulnerable page (passed in the \
'&c=' parameter) are: 'report', 'trend_volume', 'trend_suspect','top_app_ctrl', 'perf_latency', \
'perf_throughput', 'users_browse_summary', 'traf_sites', 'traf_blocked', 'traf_users', \
'users_virus_downloaders', 'users_pua_downloaders', 'users_highrisk', 'users_policy_violators', \
'users_top_users_by_browse_time', 'users_quota', 'users_browse_time_by_user', \
'users_top_users_by_category', 'users_site_visits_by_user', 'users_category_visits_by_user', \
'users_monitored_search_queries', 'users_app_ctrl', 'traf_category', 'traf_download', and \
'warned_sites'. Exploitation of this vulnerability yields shell access to the remote machine \
under the system account 'spiderman'. Vendor Response
Sophos has issued an update to correct this vulnerability. More details can be found at:
http://swa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.html
Credit
This vulnerability was discovered by Russell Sanford of Critical Start.
CVSS Score
CVSS Base Score: 8.5
CVSS v2 Vector: (AV:N/AC:M/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C/CDP:ND/TD:ND/CR:H/IR:H/AR:ND)
Affected Vendors
Sophos
Affected Products
Web Appliance before version 4.3.1.3
Disclosure Timeline
2016-11-12 - Vulnerability discovered in audit
2016-11-13 - POC exploit created
2016-11-19 - Contacted MITRE for CVE
2016-11-22 - CVE-2016-9553 assigned
2016-11-29 - Sophos Contacted through Bugcrowd to coordinate fix
2017-01-20 - Sophos patched bug in Version 4.3.1 (Work Order# NSWA-1258)
2017-01-20 - Coordinated public release of advisory
2017-01-28 - CVE-2016-9553 publicly released.
About Critical Start
Critical Start is an employee owned cybersecurity company with the goal to improve the security \
capability of our clients using a strategy based methodology known as the Defendable Network. \
We provide security consulting services, PCI QSA services, product fulfillment, and Managed \
Security Services.
To schedule an appointment to discuss a cybersecurity assessment or penetration test with our \
team members, please call 214-810-6760 or email \
info@criticalstart.com<mailto:info@criticalstart.com>.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic