Aperçu
Sophos Web Appliance versions prior to 4.3.10.4 contain a command injection vulnerability in the warn-proceed handler that allows unauthenticated attackers to execute arbitrary commands. The vulnerability is caused by insufficient input sanitization and can be exploited remotely without requiring authentication. La vulnérabilité a été divulguée le April 4, 2023. CISA a identifié CVE-2023-1671 comme étant exploitée mais n'est pas actuellement connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
The warn-proceed handler in Sophos Web Appliance fails to properly sanitize user-supplied input before passing it to system command execution functions. This allows attackers to inject arbitrary commands that are executed with the privileges of the web appliance process. The vulnerability exists in a pre-authentication code path, meaning no valid credentials are required to exploit it.
La vulnérabilité est classifiée comme CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) etCWE-94 (Improper Control of Generation of Code ('Code Injection')) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indiquant sa nature critical.
Impact
Successful exploitation allows unauthenticated remote attackers to execute arbitrary commands on the Sophos Web Appliance with the privileges of the application process. This can lead to complete compromise of the appliance, including unauthorized access to protected networks, modification of security policies, data exfiltration, and denial of service. Since this is a network appliance positioned at the perimeter, compromise could grant attackers access to internal network resources.
Mitigation et contournements
Upgrade Sophos Web Appliance to version 4.3.10.4 or later. Apply the security patch immediately as this is a critical pre-authentication remote code execution vulnerability. Sophos recommends prioritizing this update due to active exploitation in the wild. Les versions suivantes incluent les correctifs nécessaires : 4.3.10.4 and later.
Comme contournements temporaires : restrict network access to the sophos web appliance management interface using firewall rules or network segmentation. limit access to trusted administrator networks only.; disable the warn-proceed handler if it is not essential for your deployment configuration, if possible through administrative settings., et implement intrusion detection/prevention signatures to block exploitation attempts targeting the warn-proceed endpoint..
Recommandation de CISA : Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Ressources additionnelles
Source : Ce rapport a été généré par IA
