[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Sophos Web Appliance - Block & Unblock IPs Remote Command Injection (CVE-2016-9553)
- To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] Sophos Web Appliance - Block & Unblock IPs Remote Command Injection (CVE-2016-9553)
- From: Russell Sanford <russell.sanford@xxxxxxxxxxxxxxxxx>
- Date: Sun, 29 Jan 2017 13:47:09 +0000
Critical Start security expert Russell Sanford discovered and reported two
critical zero-day vulnerabilities in the Sophos Web Appliance in December of
2016. The vulnerabilities, documented under CVE-2016-9553, allow the remote
compromise of the appliance's underlining Linux subsystem. The vulnerabilities
have now been patched in the January 2017 4.3.1 release of the appliance line.
Here is a summary of the two vulnerabilities documented under CVE-2016-9553.
CVE ID
CVE-2016-9553<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9553>
Vulnerability Details
The Sophos Web Appliance (version 4.2.1.3) is vulnerable to two Remote Command
Injection vulnerabilities affecting its web administrative interface. These
vulnerabilities occur in the MgrReport.php (/controllers/MgrReport.php)
component responsible for blocking and unblocking IP addresses that are able to
access appliance.
The device doesn't properly escape the information passed in the variables
'unblockip' and 'blockip' before calling the shell_exec() function which allows
for system commands to be injected into the device.
The page that contains the vulnerabilities, /controllers/MgrReport.php, is
accessed by a number of the machine's built in commands in administrative
interface. The pages that call to the vulnerable page (passed in the '&c='
parameter) are: 'report', 'trend_volume', 'trend_suspect','top_app_ctrl',
'perf_latency', 'perf_throughput', 'users_browse_summary', 'traf_sites',
'traf_blocked', 'traf_users', 'users_virus_downloaders',
'users_pua_downloaders', 'users_highrisk', 'users_policy_violators',
'users_top_users_by_browse_time', 'users_quota', 'users_browse_time_by_user',
'users_top_users_by_category', 'users_site_visits_by_user',
'users_category_visits_by_user', 'users_monitored_search_queries',
'users_app_ctrl', 'traf_category', 'traf_download', and 'warned_sites'.
Exploitation of this vulnerability yields shell access to the remote machine
under the system account 'spiderman'.
Vendor Response
Sophos has issued an update to correct this vulnerability. More details can be
found at:
http://swa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.html
Credit
This vulnerability was discovered by Russell Sanford of Critical Start.
CVSS Score
CVSS Base Score: 8.5
CVSS v2 Vector:
(AV:N/AC:M/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C/CDP:ND/TD:ND/CR:H/IR:H/AR:ND)
Affected Vendors
Sophos
Affected Products
Web Appliance before version 4.3.1.3
Disclosure Timeline
2016-11-12 - Vulnerability discovered in audit
2016-11-13 - POC exploit created
2016-11-19 - Contacted MITRE for CVE
2016-11-22 - CVE-2016-9553 assigned
2016-11-29 - Sophos Contacted through Bugcrowd to coordinate fix
2017-01-20 - Sophos patched bug in Version 4.3.1 (Work Order# NSWA-1258)
2017-01-20 - Coordinated public release of advisory
2017-01-28 - CVE-2016-9553 publicly released.
About Critical Start
Critical Start is an employee owned cybersecurity company with the goal to
improve the security capability of our clients using a strategy based
methodology known as the Defendable Network. We provide security consulting
services, PCI QSA services, product fulfillment, and Managed Security Services.
To schedule an appointment to discuss a cybersecurity assessment or penetration
test with our team members, please call 214-810-6760 or email
info@xxxxxxxxxxxxxxxxx<mailto:info@xxxxxxxxxxxxxxxxx>.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/