cbcvebase.
CVE-2017-6315
published 2017-09-19

CVE-2017-6315: Astaro Security Gateway (aka ASG) 7 allows remote attackers to execute arbitrary code via a crafted request to index.plx.

PriorityP273critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
16.57%
96.6th percentile
Astaro Security Gateway (aka ASG) 7 allows remote attackers to execute arbitrary code via a crafted request to index.plx.

Affected

2 ranges
VendorProductVersion rangeFixed in
sophosastaro_security_gateway_firmware
sophosastaro_security_gateway_firmware

Detection & IOCsextracted from sources · hover to see the quote

port4472
filenamepayload.pl
commandexec("/bin/sh -i")
  • Monitor for outbound TCP connections from the ASG appliance to attacker-controlled IPs on ports 80, 443, and 4444 — the exploit uses these for multi-stage reverse shell callbacks.
  • Alert on internal TCP connections to localhost port 4472 — the exploit pivots to the privileged 'confd' daemon on this port to achieve root-level code execution.
  • Detect Perl Storable deserialization abuse: look for crafted serialized objects where a package name (252 'A' chars) is replaced with a Perl eval payload — indicative of the Storable nfreeze/thaw RCE technique used in this exploit.
  • Look for the Perl reverse-shell one-liner pattern using IO::Socket::INET with exec('/bin/sh -i') and STDIN/STDOUT/STDERR redirection to a socket — this is the final stage root shell payload.
  • ·The exploit was tested specifically against ASG versions 7.500 and 7.506; other version 7.x builds may also be vulnerable but were not confirmed.
  • ·The exploit requires the attacker to be reachable from the ASG appliance on ports 80, 443, and optionally 4444 for the multi-stage callback chain to succeed.
  • ·The first POST uses port 81 to clear the backend cache before the actual exploitation request on port 80 — both requests to /index.plx are required for reliable exploitation.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.