CVE-2017-6315
published 2017-09-19CVE-2017-6315: Astaro Security Gateway (aka ASG) 7 allows remote attackers to execute arbitrary code via a crafted request to index.plx.
PriorityP273critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
16.57%
96.6th percentile
Astaro Security Gateway (aka ASG) 7 allows remote attackers to execute arbitrary code via a crafted request to index.plx.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sophos | astaro_security_gateway_firmware | — | — |
| sophos | astaro_security_gateway_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for outbound TCP connections from the ASG appliance to attacker-controlled IPs on ports 80, 443, and 4444 — the exploit uses these for multi-stage reverse shell callbacks. ↗
- →Alert on internal TCP connections to localhost port 4472 — the exploit pivots to the privileged 'confd' daemon on this port to achieve root-level code execution. ↗
- →Detect Perl Storable deserialization abuse: look for crafted serialized objects where a package name (252 'A' chars) is replaced with a Perl eval payload — indicative of the Storable nfreeze/thaw RCE technique used in this exploit. ↗
- →Look for the Perl reverse-shell one-liner pattern using IO::Socket::INET with exec('/bin/sh -i') and STDIN/STDOUT/STDERR redirection to a socket — this is the final stage root shell payload. ↗
- ·The exploit was tested specifically against ASG versions 7.500 and 7.506; other version 7.x builds may also be vulnerable but were not confirmed. ↗
- ·The exploit requires the attacker to be reachable from the ASG appliance on ports 80, 443, and optionally 4444 for the multi-stage callback chain to succeed. ↗
- ·The first POST uses port 81 to clear the backend cache before the actual exploitation request on port 80 — both requests to /index.plx are required for reliable exploitation. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2017-09-19
Published