This article provides details on a vulnerability fixed in version 3.8.2 of the Sophos Web Appliance.
Applies to the following Sophos product(s) and version(s)
Sophos Web Appliance versions prior to 3.8.2
On 6 November 2013, Sophos was contacted by Brandon Perry working with HP’s Zero Day Initiative to inform us of a pair of vulnerabilities they had discovered in the Sophos Web Appliance. The two vulnerabilities can be exploited in combination to perform a remote privilege escalation attack allowing an arbitrary command to be run as root.
As a privilege escalation attack, the attacker must first obtain a valid login to the appliance’s Admin UI. The first vulnerability allows the attacker to access functions that should not be accessible to a login with limited privileges. The second vulnerability allows the attacker to exploit those functions to execute arbitrary shell commands with root privilege on the appliance.
What do I do?
These vulnerabilities were of medium severity. Any attacker would need to first obtain unprivileged login credentials before exploiting the vulnerability to attack the system.
The ability for a user who has obtained administrative privileges, legitimately or not, to execute an arbitrary command, is potentially damaging to the system but does not expose information that would not otherwise be available to an administrative user.
These vulnerabilities have been fixed as of version 3.8.2. Web Appliance updates are released in stages over the course of several weeks. The updated date for the first group of customers is the 2nd of December, 2013. The target date to complete rollout (General Availability) is early January. If you want access to these fixes prior to your scheduled rollout please contact Sophos support.
Details of vulnerabilities
|Pre-authentication OS command injection vulnerability |
|Description: ||Allows an unprivileged user to change the ‘admin’ user's password through the ‘Change Password’ dialog box. The attacker can then execute commands on the appliance’s backend (as root) using the network interface configuration page in the appliance. |
|Affected product(s): ||Sophos Web Appliance version 126.96.36.199 and earlier |
|First reported to us: ||6 November 2013 |
|Fixed in: ||3.8.2 |
|Fixed version released: ||2 December 2013 |
|Exploit seen in the wild? ||No |
HP Zero Day Initiative ZDI-CAN-2026
1. *Pre-authentication OS command injection vulnerability*
[Tested on: Sophos Web Appliance 188.8.131.52]
These vulnerabilities require an attacker to authenticate as a user of the system. For example, someone that has helpdesk privileges.
The first flaw allows an unprivileged user to change the ‘admin’ user's password through the ‘Change Password’ dialog box. Once that’s done, the user can then log in as the ‘admin’, and gain access to parts of the configuration he/she should not have access to.
The second flaw allows a logged in user to A UI. This is done by embedding the command inside an IP address on the network interface page.