CVE-2017-6182
published 2017-03-30CVE-2017-6182: In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's interface responsible for generating reports was vulnerable to remote command…
PriorityP273critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
16.55%
96.6th percentile
In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine's interface responsible for generating reports was vulnerable to remote command injection via functions, aka NSWA-1304.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sophos | web_appliance | <= 4.3.1.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /index.php?c=report&name=traf_users containing a 'filters' JSON body where the 'trafficType' field includes shell metacharacters (pipe '|' or '&') indicating command injection attempt. ↗
- →Alert on POST requests to /index.php with parameter 'c=report' and 'pdf=1' combined with a 'filters' parameter containing pipe or ampersand characters in the 'trafficType' JSON field. ↗
- →Monitor for creation or execution of ELF binaries dropped to /tmp/m or /tmp/n on Sophos Web Appliance hosts, as the exploit stages payloads to these paths. ↗
- →The exploit is post-authentication; monitor for successful logins to /index.php?c=login followed immediately by report generation requests with anomalous 'trafficType' values as a chained attack sequence. ↗
- →The STYLE parameter (a 32-character hex string) is used as a session token across both the login and exploit requests; correlate requests sharing the same STYLE value across /index.php?c=login and /index.php?c=report endpoints. ↗
- ·The exploit is post-authentication, requiring valid credentials (default username 'admin') before the command injection can be triggered. ↗
- ·The vulnerability affects Sophos Web Appliance versions before 4.3.1.2; version 4.3.0.2 was specifically tested and confirmed vulnerable. ↗
- ·The injection point is specifically the 'trafficType' field within the JSON 'filters' POST parameter on the reporting endpoint (c=report, name=traf_users). ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.2.htmlhttp://www.securityfocus.com/bid/97261https://community.sophos.com/products/web-appliance/b/blog/posts/release-of-swa-v4-3-1-2https://www.exploit-db.com/exploits/42332/http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.2.htmlhttp://www.securityfocus.com/bid/97261https://community.sophos.com/products/web-appliance/b/blog/posts/release-of-swa-v4-3-1-2https://www.exploit-db.com/exploits/42332/
2017-03-30
Published