CVE-2023-1671

Overview

Sophos Web Appliance versions prior to 4.3.10.4 contain a command injection vulnerability in the warn-proceed handler that allows unauthenticated attackers to execute arbitrary commands. The vulnerability is caused by insufficient input sanitization and can be exploited remotely without requiring authentication. The vulnerability was disclosed on April 4, 2023. CISA has identified CVE-2023-1671 as being exploited but is not currently known to be used in ransomware campaigns.

Technical details

The warn-proceed handler in Sophos Web Appliance fails to properly sanitize user-supplied input before passing it to system command execution functions. This allows attackers to inject arbitrary commands that are executed with the privileges of the web appliance process. The vulnerability exists in a pre-authentication code path, meaning no valid credentials are required to exploit it.

The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) andCWE-94 (Improper Control of Generation of Code ('Code Injection')) .

The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating its critical nature.

Impact

Successful exploitation allows unauthenticated remote attackers to execute arbitrary commands on the Sophos Web Appliance with the privileges of the application process. This can lead to complete compromise of the appliance, including unauthorized access to protected networks, modification of security policies, data exfiltration, and denial of service. Since this is a network appliance positioned at the perimeter, compromise could grant attackers access to internal network resources.

Mitigation and workarounds

Upgrade Sophos Web Appliance to version 4.3.10.4 or later. Apply the security patch immediately as this is a critical pre-authentication remote code execution vulnerability. Sophos recommends prioritizing this update due to active exploitation in the wild. The following versions include the necessary fixes: 4.3.10.4 and later.

As temporary workarounds: restrict network access to the sophos web appliance management interface using firewall rules or network segmentation. limit access to trusted administrator networks only.; disable the warn-proceed handler if it is not essential for your deployment configuration, if possible through administrative settings., and implement intrusion detection/prevention signatures to block exploitation attempts targeting the warn-proceed endpoint..

CISA's recommendation: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Additional resources

Source: This report was generated using AI

Vulnerability Management

Attack Surface Management

Cybersecurity Asset Management

AI Security Automation

Credentials Leaks Monitoring

Cloud Security

External Scanning

Internal Scanning

Attack Surface Monitoring

DAST

Website Security

Risk Based Prioritization

API Security

Emerging Threat Detection

CSPM

Compliance

Cyber Hygiene Reporting

Integrations

Compare Vullify

Qualys Alternative

Tenable Alternative

Rapid7 Alternative

Intruder Alternative

Detectify Alternative

Acunetix Alternative

Invicti Alternative

Pentest-Tools Alternative

Security

Blog

Cyber Glossary

Vulnerability Database

Customers

Help Center

Customer Stories

Developer Hub

About

Press

Partners

Careers

Contact

Book a Demo

Web Appliance vulnerability analysis and mitigation — CRITICAL (CVSS 9.8)

Overview

Technical details

Impact

Mitigation and workarounds

Additional resources

Related Sophos Vulnerabilities

Platform

Solutions

Resources

Company