CVE-2017-18001
published 2017-12-31CVE-2017-18001: Trustwave Secure Web Gateway (SWG) through 11.8.0.27 allows remote attackers to append an arbitrary public key to the device's SSH Authorized Keys data, and…
PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
13.71%
96.0th percentile
Trustwave Secure Web Gateway (SWG) through 11.8.0.27 allows remote attackers to append an arbitrary public key to the device's SSH Authorized Keys data, and consequently obtain remote root access, via the publicKey parameter to the /sendKey URI.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trustwave | secure_web_gateway | <= 11.8.0.27 | — |
Detection & IOCsextracted from sources · hover to see the quote
command/usr/bin/ssh -q -o PasswordAuthentication=no -o StrictHostKeyChecking=no -o ConnectTimeout=3 -o ServerAliveInterval=10 -i ./test.key [email protected]↗
- →Detect unauthenticated HTTP POST requests to the /sendKey URI on port 5222 with a multipart/form-data body containing a 'publicKey' field — this is the exploit delivery mechanism for CVE-2017-18001. ↗
- →Alert on HTTP requests to port 5222 with User-Agent 'libwww-perl/6.15' targeting /sendKey, as this matches the known exploit PoC tooling. ↗
- →Monitor for SSH logins by the 'commander' or 'rsyncuser' accounts on Trustwave SWG devices, especially from external/unexpected source IPs, as these indicate successful exploitation. ↗
- →Alert on execution of /opt/finjan/msh/run_inside.py with 'bash' argument via sudo, which is the post-exploitation privilege escalation path to root on compromised SWG devices. ↗
- →Inspect multipart/form-data POST bodies on port 5222 for the boundary marker '--xYzZY' and a 'publicKey' filename field, which are artifacts of the known exploit PoC. ↗
- ·The vulnerable endpoint /sendKey on port 5222 requires no authentication, meaning any network-reachable host can exploit it. Firewall rules restricting access to port 5222 on SWG devices are a critical compensating control. ↗
- ·Exploitation grants initial access as 'rsyncuser' (uid=1000, gid=48/apache), but privilege escalation to root is trivially achieved via sudo on /opt/finjan/msh/run_inside.py — treat any SSH access by rsyncuser as a full root compromise. ↗
- ·The vulnerability affects Trustwave SWG through version 11.8.0.27. Devices running this version or earlier should be treated as untrustworthy until patched per the vendor advisory. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2017/Dec/88https://blogs.securiteam.com/index.php/archives/3550https://www.exploit-db.com/exploits/44047/https://www.trustwave.com/Resources/Trustwave-Software-Updates/Important-Security-Update-for-Trustwave-Secure-Web-Gateway/http://seclists.org/fulldisclosure/2017/Dec/88https://blogs.securiteam.com/index.php/archives/3550https://www.exploit-db.com/exploits/44047/https://www.trustwave.com/Resources/Trustwave-Software-Updates/Important-Security-Update-for-Trustwave-Secure-Web-Gateway/
2017-12-31
Published