A critical and high severity remote code execution vulnerability with CVSS 3.x severity base score 9.8 is discovered in Sophos SG UTM. Sophos reported this vulnerability on September 18, 2020, in their Advisory. This vulnerability was discovered by the bug bounty program of the company by an external security researcher. As per the claim from the advisory, there was no evidence of the vulnerability being exploited at the time of the release of the advisory.
- CVE-2020-25223: A remote code execution vulnerability exists in WebAdmin of Sophos SG UTM
The vulnerability was discovered in webadmin of the Sophos SG UTM. The vulnerability can be easily triggered and exploited by sending a HTTP request to the devices with vulnerable versions of the affected software which lacks proper input validation. As a result, an attacker can have unauthenticated, remote code execution as a root user on Sophos UTM.
How does this attack work?
A researcher stated in his article that he found that webadmin.plx endpoint handles most of the incoming web traffic, which is a perl file. When a HTTP POST request is made, the SID(Session Identifier) is sent to the confd, a back-end service, to check it to see if it’s a valid session identifier. The SID is supplied to a HTTP POST Request and the confd attempts to read SID from confd sessions directory (/var/confd/var/sessions). Then the SID is passed as a second argument to the open() function as a file after passing through a couple of subroutines. In Perl, we have to handle the open() function very carefully when user-supplied data is passed as the second argument. You can learn more about this in Perl’s document.
In this case, commands are passed as SID as a second argument to open(). To bypass the regex check to replace the SID with 0 in the HTTP request before reaching to webadmin.plx, RewriteRule ^/var /webadmin.plx is being used. i.e., sending a HTTP request to /var is the same as sending the HTTP request to webadmin.plx, but in this case, the request will not be checked by regex. By replacing SID in HTTP request with commands like touch /tmp/pwned, the commands will be executed. This is how the attack can be carried out.
Sophos SG UTM versions before v9.705 MR5, v9.607 MR7, 9.511 MR11
The advisory does mention about a workaround for users who cannot currently deploy the fixed version. It can be achieved by keeping Internal or another internal-only network definition as the sole entry in Management->WebAdmin Settings->WebAdmin Access Configuration->Allowed Networks.
A fix for this vulnerability has been released in versions v9.705 MR5, v9.607 MR7, v9.511 MR11, or later. The vulnerable versions of Sophos SG UTM are advised to update to the latest available release.