cbcvebase.
CVE-2017-6182
published 2017-03-30

CVE-2017-6182: In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's interface responsible for generating reports was vulnerable to remote command…

PriorityP273critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
16.55%
96.6th percentile
In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's interface responsible for generating reports was vulnerable to remote command injection via functions, aka NSWA-1304.

Affected

1 ranges
VendorProductVersion rangeFixed in
sophosweb_appliance<= 4.3.1.1

Detection & IOCsextracted from sources · hover to see the quote

url/index.php?c=login
path/tmp/n
path/tmp/m
commandecho -e <encoded_payload>>/tmp/n;chmod +rx /tmp/n;/tmp/n
command(echo -e <encoded_elf>>/tmp/m;chmod +rx /tmp/m;/tmp/m)
  • Detect POST requests to /index.php?c=report&name=traf_users containing a 'filters' JSON body where the 'trafficType' field includes shell metacharacters (pipe '|' or '&') indicating command injection attempt.
  • Alert on POST requests to /index.php with parameter 'c=report' and 'pdf=1' combined with a 'filters' parameter containing pipe or ampersand characters in the 'trafficType' JSON field.
  • Monitor for creation or execution of ELF binaries dropped to /tmp/m or /tmp/n on Sophos Web Appliance hosts, as the exploit stages payloads to these paths.
  • The exploit is post-authentication; monitor for successful logins to /index.php?c=login followed immediately by report generation requests with anomalous 'trafficType' values as a chained attack sequence.
  • The STYLE parameter (a 32-character hex string) is used as a session token across both the login and exploit requests; correlate requests sharing the same STYLE value across /index.php?c=login and /index.php?c=report endpoints.
  • ·The exploit is post-authentication, requiring valid credentials (default username 'admin') before the command injection can be triggered.
  • ·The vulnerability affects Sophos Web Appliance versions before 4.3.1.2; version 4.3.0.2 was specifically tested and confirmed vulnerable.
  • ·The injection point is specifically the 'trafficType' field within the JSON 'filters' POST parameter on the reporting endpoint (c=report, name=traf_users).

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.